Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BCb8yQ0fg8.exe

Overview

General Information

Sample name:BCb8yQ0fg8.exe
renamed because original name is a hash value
Original sample name:807675A50EE7545E02DAEAC9822842B7.exe
Analysis ID:1434650
MD5:807675a50ee7545e02daeac9822842b7
SHA1:967094e1ef9155a031687396ba99855e54870612
SHA256:2895f26ebeb8334731591ac868e9ab554a3568632e3c62e802739e5d0fc38d88
Tags:exeStealc
Infos:

Detection

Mars Stealer, Stealc, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
PE file has a writeable .text section
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • BCb8yQ0fg8.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\BCb8yQ0fg8.exe" MD5: 807675A50EE7545E02DAEAC9822842B7)
    • cmd.exe (PID: 7272 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 8120 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • chrome.exe (PID: 7372 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://473750571567004317064230583514468350804565684324378075159610742091604698238217701484029465762430135913242023857750034401559054060945654540273638867228794983640833862748912121851334807031249099092790952130035074227943842970399582505875/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 7588 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1800,i,5224496107934403145,5816890975472559302,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "http://193.163.7.88/a69d09b357e06b52.php"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\cgfmwJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    C:\Users\user\AppData\Local\Temp\cgfmwJoeSecurity_MarsStealerYara detected Mars stealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000001.00000002.1896600750.00000000038E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        00000001.00000002.1896600750.00000000038E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
          00000007.00000002.1896414307.0000000000791000.00000080.00000001.01000000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            00000007.00000002.1896414307.0000000000791000.00000080.00000001.01000000.00000000.sdmpJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
              decrypted.memstrJoeSecurity_StealcYara detected StealcJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                1.2.cmd.exe.38e00c8.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  1.2.cmd.exe.38e00c8.0.unpackJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
                    1.2.cmd.exe.38e00c8.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                      1.2.cmd.exe.38e00c8.0.raw.unpackJoeSecurity_MarsStealerYara detected Mars stealerJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Proxy Execution Via Explorer.exe
                        Source: Process startedAuthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Windows\SysWOW64\explorer.exe, CommandLine: C:\Windows\SysWOW64\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\explorer.exe, NewProcessName: C:\Windows\SysWOW64\explorer.exe, OriginalFileName: C:\Windows\SysWOW64\explorer.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7272, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\explorer.exe, ProcessId: 8120, ProcessName: explorer.exe

                        Snort Signatures

                        No Snort rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: http://193.163.7.88/a69d09b357e06b52.phpAvira URL Cloud: Label: malware
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\cgfmwAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                        Found malware configuration
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackMalware Configuration Extractor: Vidar {"C2 url": "http://193.163.7.88/a69d09b357e06b52.php"}
                        Multi AV Scanner detection for submitted file
                        Source: BCb8yQ0fg8.exeVirustotal: Detection: 19%Perma Link
                        Source: BCb8yQ0fg8.exeReversingLabs: Detection: 15%
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\cgfmwJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: INSERT_KEY_HERE
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetProcAddress
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: LoadLibraryA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: lstrcatA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: OpenEventA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CreateEventA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CloseHandle
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Sleep
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetUserDefaultLangID
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: VirtualAllocExNuma
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: VirtualFree
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetSystemInfo
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: VirtualAlloc
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: HeapAlloc
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetComputerNameA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: lstrcpyA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetProcessHeap
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetCurrentProcess
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: lstrlenA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: ExitProcess
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GlobalMemoryStatusEx
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetSystemTime
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: SystemTimeToFileTime
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: advapi32.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: gdi32.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: user32.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: crypt32.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: ntdll.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetUserNameA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CreateDCA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetDeviceCaps
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: ReleaseDC
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CryptStringToBinaryA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: sscanf
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: VMwareVMware
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: HAL9TH
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: JohnDoe
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: DISPLAY
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: %hu/%hu/%hu
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: http://193.163.7.88
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: /a69d09b357e06b52.php
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: /f77a9ad318e8e915/
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: cozy15
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetEnvironmentVariableA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetFileAttributesA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GlobalLock
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: HeapFree
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetFileSize
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GlobalSize
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CreateToolhelp32Snapshot
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: IsWow64Process
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Process32Next
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetLocalTime
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: FreeLibrary
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetTimeZoneInformation
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetSystemPowerStatus
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetVolumeInformationA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetWindowsDirectoryA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Process32First
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetLocaleInfoA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetUserDefaultLocaleName
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetModuleFileNameA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: DeleteFileA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: FindNextFileA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: LocalFree
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: FindClose
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: SetEnvironmentVariableA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: LocalAlloc
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetFileSizeEx
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: ReadFile
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: SetFilePointer
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: WriteFile
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CreateFileA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: FindFirstFileA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CopyFileA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: VirtualProtect
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetLogicalProcessorInformationEx
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetLastError
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: lstrcpynA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: MultiByteToWideChar
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GlobalFree
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: WideCharToMultiByte
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GlobalAlloc
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: OpenProcess
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: TerminateProcess
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetCurrentProcessId
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: gdiplus.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: ole32.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: bcrypt.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: wininet.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: shlwapi.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: shell32.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: psapi.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: rstrtmgr.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CreateCompatibleBitmap
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: SelectObject
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: BitBlt
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: DeleteObject
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CreateCompatibleDC
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GdipGetImageEncodersSize
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GdipGetImageEncoders
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GdiplusStartup
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GdiplusShutdown
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GdipSaveImageToStream
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GdipDisposeImage
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GdipFree
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetHGlobalFromStream
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CreateStreamOnHGlobal
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CoUninitialize
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CoInitialize
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CoCreateInstance
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: BCryptGenerateSymmetricKey
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: BCryptCloseAlgorithmProvider
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: BCryptDecrypt
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: BCryptSetProperty
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: BCryptDestroyKey
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: BCryptOpenAlgorithmProvider
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetWindowRect
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetDesktopWindow
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetDC
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CloseWindow
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: wsprintfA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: EnumDisplayDevicesA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetKeyboardLayoutList
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CharToOemW
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: wsprintfW
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: RegQueryValueExA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: RegEnumKeyExA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: RegOpenKeyExA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: RegCloseKey
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: RegEnumValueA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CryptBinaryToStringA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CryptUnprotectData
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: SHGetFolderPathA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: ShellExecuteExA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: InternetOpenUrlA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: InternetConnectA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: InternetCloseHandle
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: InternetOpenA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: HttpSendRequestA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: HttpOpenRequestA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: InternetReadFile
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: InternetCrackUrlA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: StrCmpCA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: StrStrA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: StrCmpCW
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: PathMatchSpecA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: GetModuleFileNameExA
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: RmStartSession
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: RmRegisterResources
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: RmGetList
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: RmEndSession
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: sqlite3_open
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: sqlite3_prepare_v2
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: sqlite3_step
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: sqlite3_column_text
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: sqlite3_finalize
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: sqlite3_close
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: sqlite3_column_bytes
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: sqlite3_column_blob
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: encrypted_key
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: PATH
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: C:\ProgramData\nss3.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: NSS_Init
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: NSS_Shutdown
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: PK11_GetInternalKeySlot
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: PK11_FreeSlot
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: PK11_Authenticate
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: PK11SDR_Decrypt
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: C:\ProgramData\
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: browser:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: profile:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: url:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: login:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: password:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Opera
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: OperaGX
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Network
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: cookies
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: .txt
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: TRUE
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: FALSE
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: autofill
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: SELECT name, value FROM autofill
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: history
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: name:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: month:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: year:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: card:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Cookies
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Login Data
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Web Data
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: History
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: logins.json
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: formSubmitURL
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: usernameField
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: encryptedUsername
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: encryptedPassword
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: guid
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: cookies.sqlite
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: formhistory.sqlite
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: places.sqlite
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: plugins
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Local Extension Settings
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Sync Extension Settings
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: IndexedDB
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Opera Stable
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Opera GX Stable
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: CURRENT
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: chrome-extension_
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: _0.indexeddb.leveldb
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Local State
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: profiles.ini
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: chrome
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: opera
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: firefox
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: wallets
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: %08lX%04lX%lu
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: ProductName
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: %d/%d/%d %d:%d:%d
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: ProcessorNameString
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: DisplayName
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: DisplayVersion
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Network Info:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - IP: IP?
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - Country: ISO?
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: System Summary:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - HWID:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - OS:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - Architecture:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - UserName:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - Computer Name:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - Local Time:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - UTC:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - Language:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - Keyboards:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - Laptop:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - Running Path:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - CPU:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - Threads:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - Cores:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - RAM:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - Display Resolution:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: - GPU:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: User Agents:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Installed Apps:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: All Users:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Current User:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Process List:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: system_info.txt
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: freebl3.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: mozglue.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: msvcp140.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: nss3.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: softokn3.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: vcruntime140.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: \Temp\
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: .exe
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: runas
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: open
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: /c start
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: %DESKTOP%
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: %APPDATA%
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: %LOCALAPPDATA%
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: %USERPROFILE%
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: %DOCUMENTS%
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: %PROGRAMFILES%
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: %PROGRAMFILES_86%
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: %RECENT%
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: *.lnk
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: files
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: \discord\
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: \Local Storage\leveldb\CURRENT
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: \Local Storage\leveldb
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: \Telegram Desktop\
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: key_datas
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: D877F783D5D3EF8C*
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: map*
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: A7FDF864FBC10B77*
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: A92DAA6EA6F891F2*
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: F8806DD0C461824F*
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Telegram
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: *.tox
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: *.ini
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Password
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: 00000001
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: 00000002
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: 00000003
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: 00000004
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: \Outlook\accounts.txt
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Pidgin
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: \.purple\
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: accounts.xml
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: dQw4w9WgXcQ
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: token:
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Software\Valve\Steam
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: SteamPath
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: \config\
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: ssfn*
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: config.vdf
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: DialogConfig.vdf
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: DialogConfigOverlay*.vdf
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: libraryfolders.vdf
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: loginusers.vdf
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: \Steam\
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: sqlite3.dll
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: browsers
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: done
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: soft
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: \Discord\tokens.txt
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: /c timeout /t 5 & del /f /q "
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: C:\Windows\system32\cmd.exe
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: https
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: POST
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: HTTP/1.1
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: Content-Disposition: form-data; name="
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: hwid
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: build
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: token
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: file_name
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: file
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: message
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                        Source: 1.2.cmd.exe.38e00c8.0.raw.unpackString decryptor: screenshot.jpg
                        Source: BCb8yQ0fg8.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 23.209.58.93:443 -> 192.168.2.4:49750 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 23.209.58.93:443 -> 192.168.2.4:49751 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49752 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49758 version: TLS 1.2
                        Source: BCb8yQ0fg8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                        Source: Binary string: wntdll.pdbUGP source: BCb8yQ0fg8.exe, 00000000.00000002.1696875335.00000000051D2000.00000004.00000001.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696166985.0000000004AC1000.00000004.00000020.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696358566.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896691691.0000000005513000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896922559.0000000005950000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896820594.0000000004B44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896957182.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdb source: BCb8yQ0fg8.exe, 00000000.00000002.1696875335.00000000051D2000.00000004.00000001.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696166985.0000000004AC1000.00000004.00000020.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696358566.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896691691.0000000005513000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896922559.0000000005950000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896820594.0000000004B44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896957182.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp
                        Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\apphost\standalone\apphost.pdbgggGCTL source: BCb8yQ0fg8.exe
                        Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\apphost\standalone\apphost.pdb source: BCb8yQ0fg8.exe
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006DD060 FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,0_2_006DD060

                        Networking

                        barindex
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: http://193.163.7.88/a69d09b357e06b52.php
                        Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
                        Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.46.162.224
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.209.58.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.53.35.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.53.35.103
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.53.35.111
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.53.35.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.53.35.111
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.53.35.103
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.53.35.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.53.35.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
                        Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                        Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                        Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                        Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                        Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
                        Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=zC4Eb3mDpgwO3dy&MD=LPFEY77X HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
                        Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=zC4Eb3mDpgwO3dy&MD=LPFEY77X HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
                        Source: global trafficDNS traffic detected: DNS query: www.google.com
                        Source: global trafficDNS traffic detected: DNS query: apis.google.com
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695863530.0000000004763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c0rl.m%L
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                        Source: BCb8yQ0fg8.exeString found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
                        Source: BCb8yQ0fg8.exeString found in binary or memory: http://ccsca2021.ocsp-certum.com05
                        Source: BCb8yQ0fg8.exeString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                        Source: BCb8yQ0fg8.exeString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
                        Source: BCb8yQ0fg8.exeString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695863530.0000000004763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                        Source: BCb8yQ0fg8.exeString found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
                        Source: BCb8yQ0fg8.exeString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                        Source: BCb8yQ0fg8.exeString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
                        Source: BCb8yQ0fg8.exeString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                        Source: BCb8yQ0fg8.exeString found in binary or memory: http://subca.ocsp-certum.com01
                        Source: BCb8yQ0fg8.exeString found in binary or memory: http://subca.ocsp-certum.com02
                        Source: BCb8yQ0fg8.exeString found in binary or memory: http://subca.ocsp-certum.com05
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                        Source: chromecache_49.5.drString found in binary or memory: http://www.broofa.com
                        Source: BCb8yQ0fg8.exeString found in binary or memory: http://www.certum.pl/CPS0
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.000000000480A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.0000000005875000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003240000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                        Source: chromecache_55.5.drString found in binary or memory: https://accounts.google.com/o/oauth2/auth
                        Source: chromecache_55.5.drString found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
                        Source: BCb8yQ0fg8.exeString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
                        Source: BCb8yQ0fg8.exeString found in binary or memory: https://aka.ms/dotnet-core-applaunch?Architecture:
                        Source: BCb8yQ0fg8.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
                        Source: BCb8yQ0fg8.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failedWould
                        Source: chromecache_49.5.dr, chromecache_55.5.drString found in binary or memory: https://apis.google.com
                        Source: chromecache_55.5.drString found in binary or memory: https://clients6.google.com
                        Source: chromecache_55.5.drString found in binary or memory: https://content.googleapis.com
                        Source: chromecache_55.5.drString found in binary or memory: https://csp.withgoogle.com/csp/lcreport/
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                        Source: chromecache_55.5.drString found in binary or memory: https://domains.google.com/suggest/flow
                        Source: chromecache_49.5.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
                        Source: chromecache_49.5.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
                        Source: chromecache_49.5.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
                        Source: chromecache_49.5.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
                        Source: chromecache_49.5.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
                        Source: chromecache_55.5.drString found in binary or memory: https://plus.google.com
                        Source: chromecache_55.5.drString found in binary or memory: https://plus.googleapis.com
                        Source: chromecache_55.5.drString found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
                        Source: BCb8yQ0fg8.exeString found in binary or memory: https://www.certum.pl/CPS0
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                        Source: chromecache_55.5.drString found in binary or memory: https://www.googleapis.com/auth/plus.me
                        Source: chromecache_55.5.drString found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
                        Source: chromecache_49.5.drString found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
                        Source: chromecache_49.5.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
                        Source: chromecache_49.5.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                        Source: unknownHTTPS traffic detected: 23.209.58.93:443 -> 192.168.2.4:49750 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 23.209.58.93:443 -> 192.168.2.4:49751 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49752 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49758 version: TLS 1.2

                        System Summary

                        barindex
                        PE file has a writeable .text section
                        Source: cgfmw.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D4A13 NtQuerySystemInformation,0_2_006D4A13
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D4A13 NtQuerySystemInformation,0_2_006D4A13
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006DE8C00_2_006DE8C0
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D28B00_2_006D28B0
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D8AC00_2_006D8AC0
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006DD4F00_2_006DD4F0
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006DBDF00_2_006DBDF0
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D85D00_2_006D85D0
                        Source: BCb8yQ0fg8.exeStatic PE information: invalid certificate
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCheckIP.dll0 vs BCb8yQ0fg8.exe
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezip.exe( vs BCb8yQ0fg8.exe
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695766067.0000000004669000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCheckIP.dll0 vs BCb8yQ0fg8.exe
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1696358566.0000000004F4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BCb8yQ0fg8.exe
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1696166985.0000000004BE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BCb8yQ0fg8.exe
                        Source: BCb8yQ0fg8.exeBinary or memory string: OriginalFilenameCheckIP.dll0 vs BCb8yQ0fg8.exe
                        Source: BCb8yQ0fg8.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: classification engineClassification label: mal100.troj.evad.winEXE@23/16@4/4
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeFile created: C:\Users\user\AppData\Local\Temp\8028f380Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: BCb8yQ0fg8.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: BCb8yQ0fg8.exeVirustotal: Detection: 19%
                        Source: BCb8yQ0fg8.exeReversingLabs: Detection: 15%
                        Source: BCb8yQ0fg8.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failed Would you like to download it now?
                        Source: BCb8yQ0fg8.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failedWould you like to download it now?
                        Source: BCb8yQ0fg8.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeFile read: C:\Users\user\Desktop\BCb8yQ0fg8.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\BCb8yQ0fg8.exe "C:\Users\user\Desktop\BCb8yQ0fg8.exe"
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://473750571567004317064230583514468350804565684324378075159610742091604698238217701484029465762430135913242023857750034401559054060945654540273638867228794983640833862748912121851334807031249099092790952130035074227943842970399582505875/
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1800,i,5224496107934403145,5816890975472559302,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1800,i,5224496107934403145,5816890975472559302,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeSection loaded: pla.dllJump to behavior
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeSection loaded: pdh.dllJump to behavior
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeSection loaded: tdh.dllJump to behavior
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeSection loaded: wevtapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
                        Source: BCb8yQ0fg8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: BCb8yQ0fg8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: BCb8yQ0fg8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: BCb8yQ0fg8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: BCb8yQ0fg8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: BCb8yQ0fg8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: BCb8yQ0fg8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                        Source: BCb8yQ0fg8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: wntdll.pdbUGP source: BCb8yQ0fg8.exe, 00000000.00000002.1696875335.00000000051D2000.00000004.00000001.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696166985.0000000004AC1000.00000004.00000020.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696358566.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896691691.0000000005513000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896922559.0000000005950000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896820594.0000000004B44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896957182.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdb source: BCb8yQ0fg8.exe, 00000000.00000002.1696875335.00000000051D2000.00000004.00000001.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696166985.0000000004AC1000.00000004.00000020.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696358566.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896691691.0000000005513000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896922559.0000000005950000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896820594.0000000004B44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896957182.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp
                        Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\apphost\standalone\apphost.pdbgggGCTL source: BCb8yQ0fg8.exe
                        Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\apphost\standalone\apphost.pdb source: BCb8yQ0fg8.exe
                        Source: BCb8yQ0fg8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: BCb8yQ0fg8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: BCb8yQ0fg8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: BCb8yQ0fg8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: BCb8yQ0fg8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: cgfmw.1.drStatic PE information: section name: hypon
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D80EF push dword ptr [edi+18h]; ret 0_2_006D80F3
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D7164 push ecx; ret 0_2_006D7165
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D81BB push ebx; iretd 0_2_006D823C
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D8276 push ss; ret 0_2_006D8275
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D8276 push cs; ret 0_2_006D827D
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D8240 push ebx; iretd 0_2_006D823C
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D8240 push ss; ret 0_2_006D8275
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D742B push eax; ret 0_2_006D742D
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D6D59 push es; retf 0_2_006D6D5B
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006E059A push ecx; ret 0_2_006E05AD
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D6E61 push eax; iretd 0_2_006D6E62
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D8E92 push ds; ret 0_2_006D8EA1
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\cgfmwJump to dropped file
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\cgfmwJump to dropped file

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Deletes itself after installation
                        Source: C:\Windows\SysWOW64\cmd.exeFile deleted: c:\users\user\desktop\bcb8yq0fg8.exeJump to behavior
                        Found hidden mapped module (file has been removed from disk)
                        Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\CGFMW
                        Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cgfmwJump to dropped file
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeAPI coverage: 9.7 %
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006DD060 FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,0_2_006DD060
                        Source: BCb8yQ0fg8.exe, 00000000.00000002.1695863530.0000000004763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                        Source: explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                        Source: explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                        Source: explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                        Source: explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                        Source: explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                        Source: explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006E0937 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006E0937
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006DAB99 mov eax, dword ptr fs:[00000030h]0_2_006DAB99
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006D50E3 mov eax, dword ptr fs:[00000030h]0_2_006D50E3
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006DAB19 mov eax, dword ptr fs:[00000030h]0_2_006DAB19
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006E0800 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_006E0800
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006E0937 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006E0937
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006E0A99 SetUnhandledExceptionFilter,0_2_006E0A99

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Injects code into the Windows Explorer (explorer.exe)
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 8120 base: 2EE0000 value: 00Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 8120 base: 2D9F2D8 value: 00Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 8120 base: 2DA01E8 value: 00Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 8120 base: 2679C0 value: 55Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 8120 base: 790000 value: 00Jump to behavior
                        Maps a DLL or memory area into another process
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read writeJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 2679C0Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 790000Jump to behavior
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006E0620 cpuid 0_2_006E0620
                        Source: C:\Users\user\Desktop\BCb8yQ0fg8.exeCode function: 0_2_006E0B55 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_006E0B55

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Mars stealer
                        Source: Yara matchFile source: 1.2.cmd.exe.38e00c8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.cmd.exe.38e00c8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.1896600750.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1896414307.0000000000791000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\cgfmw, type: DROPPED
                        Yara detected Stealc
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: 1.2.cmd.exe.38e00c8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.cmd.exe.38e00c8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.1896600750.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1896414307.0000000000791000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\cgfmw, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected Mars stealer
                        Source: Yara matchFile source: 1.2.cmd.exe.38e00c8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.cmd.exe.38e00c8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.1896600750.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1896414307.0000000000791000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\cgfmw, type: DROPPED
                        Yara detected Stealc
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: 1.2.cmd.exe.38e00c8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.cmd.exe.38e00c8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.1896600750.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1896414307.0000000000791000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\cgfmw, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                        Command and Scripting Interpreter                        		11
                        DLL Side-Loading                        		311
                        Process Injection                        		1
                        Masquerading                        		OS Credential Dumping1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		11
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
                        DLL Side-Loading                        		311
                        Process Injection                        		LSASS Memory11
                        Security Software Discovery                        		Remote Desktop ProtocolData from Removable Media1
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                        Obfuscated Files or Information                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive2
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                        DLL Side-Loading                        		NTDS1
                        File and Directory Discovery                        		Distributed Component Object ModelInput Capture13
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        File Deletion                        		LSA Secrets12
                        System Information Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1434650 Sample: BCb8yQ0fg8.exe Startdate: 01/05/2024 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Antivirus detection for URL or domain 2->40 42 Antivirus detection for dropped file 2->42 44 8 other signatures 2->44 7 BCb8yQ0fg8.exe 1 2->7         started        10 chrome.exe 1 2->10         started        process3 dnsIp4 46 Maps a DLL or memory area into another process 7->46 13 cmd.exe 2 7->13         started        32 192.168.2.4, 138, 443, 49698 unknown unknown 10->32 34 192.168.2.6 unknown unknown 10->34 36 239.255.255.250 unknown Reserved 10->36 17 chrome.exe 10->17         started        signatures5 process6 dnsIp7 24 C:\Users\user\AppData\Local\Temp\cgfmw, PE32 13->24 dropped 48 Injects code into the Windows Explorer (explorer.exe) 13->48 50 Deletes itself after installation 13->50 52 Writes to foreign memory regions 13->52 54 2 other signatures 13->54 20 conhost.exe 13->20         started        22 explorer.exe 13->22         started        26 www.google.com 64.233.180.99, 443, 49735, 49738 GOOGLEUS United States 17->26 28 plus.l.google.com 17->28 30 apis.google.com 17->30 file8 signatures9 process10

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        BCb8yQ0fg8.exe20%VirustotalBrowse
                        BCb8yQ0fg8.exe16%ReversingLabsWin32.Trojan.Nekark

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\cgfmw100%AviraTR/Crypt.ZPACK.Gen
                        C:\Users\user\AppData\Local\Temp\cgfmw100%Joe Sandbox ML

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://www.broofa.com0%URL Reputationsafe
                        http://www.broofa.com0%URL Reputationsafe
                        https://csp.withgoogle.com/csp/lcreport/0%URL Reputationsafe
                        http://subca.ocsp-certum.com050%URL Reputationsafe
                        http://subca.ocsp-certum.com020%URL Reputationsafe
                        http://subca.ocsp-certum.com010%URL Reputationsafe
                        http://subca.ocsp-certum.com010%URL Reputationsafe
                        http://ccsca2021.ocsp-certum.com050%URL Reputationsafe
                        http://c0rl.m%L0%Avira URL Cloudsafe
                        http://193.163.7.88/a69d09b357e06b52.php100%Avira URL Cloudmalware
                        http://crl3.digicert.0%Avira URL Cloudsafe
                        http://193.163.7.88/a69d09b357e06b52.php3%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        plus.l.google.com
                        		142.251.16.100
                        		truefalse
                          		high
                          www.google.com
                          		64.233.180.99
                          		truefalse
                            		high
                            apis.google.com
                            		unknown
                            		unknownfalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://193.163.7.88/a69d09b357e06b52.phptrue
                              • 3%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              		unknown
                              https://www.google.com/async/newtab_promosfalse
                                		high
                                https://www.google.com/async/ddljson?async=ntp:2false
                                  		high
                                  https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgwfalse
                                    		high
                                    https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0false
                                      		high

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://crl.certum.pl/ctsca2021.crl0oBCb8yQ0fg8.exefalse
                                        		high
                                        http://repository.certum.pl/ctnca.cer09BCb8yQ0fg8.exefalse
                                          		high
                                          http://www.vmware.com/0BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.broofa.comchromecache_49.5.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.certum.pl/ctnca.crl0kBCb8yQ0fg8.exefalse
                                              		high
                                              https://aka.ms/dotnet/app-launch-failedWouldBCb8yQ0fg8.exefalse
                                                		high
                                                https://aka.ms/dotnet-core-applaunch?Architecture:BCb8yQ0fg8.exefalse
                                                  		high
                                                  http://www.vmware.com/0/BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://ccsca2021.crl.certum.pl/ccsca2021.crl0sBCb8yQ0fg8.exefalse
                                                      		high
                                                      https://aka.ms/dotnet/app-launch-failedBCb8yQ0fg8.exefalse
                                                        		high
                                                        https://www.certum.pl/CPS0BCb8yQ0fg8.exefalse
                                                          		high
                                                          http://c0rl.m%LBCb8yQ0fg8.exe, 00000000.00000002.1695863530.0000000004763000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		low
                                                          http://www.symauth.com/cps0(BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1chromecache_55.5.drfalse
                                                              		high
                                                              http://repository.certum.pl/ccsca2021.cer0BCb8yQ0fg8.exefalse
                                                                		high
                                                                https://aka.ms/dotnet-core-applaunch?BCb8yQ0fg8.exefalse
                                                                  		high
                                                                  https://plus.google.comchromecache_55.5.drfalse
                                                                    		high
                                                                    https://play.google.com/log?format=json&hasfast=truechromecache_49.5.drfalse
                                                                      		high
                                                                      http://repository.certum.pl/ctsca2021.cer0BCb8yQ0fg8.exefalse
                                                                        		high
                                                                        https://csp.withgoogle.com/csp/lcreport/chromecache_55.5.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://subca.ocsp-certum.com05BCb8yQ0fg8.exefalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.symauth.com/rpa00BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://subca.ocsp-certum.com02BCb8yQ0fg8.exefalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://subca.ocsp-certum.com01BCb8yQ0fg8.exefalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.info-zip.org/BCb8yQ0fg8.exe, 00000000.00000002.1695941866.000000000480A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.0000000005875000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003240000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://crl.certum.pl/ctnca2.crl0lBCb8yQ0fg8.exefalse
                                                                              		high
                                                                              http://repository.certum.pl/ctnca2.cer09BCb8yQ0fg8.exefalse
                                                                                		high
                                                                                http://ccsca2021.ocsp-certum.com05BCb8yQ0fg8.exefalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://apis.google.comchromecache_49.5.dr, chromecache_55.5.drfalse
                                                                                  		high
                                                                                  http://crl3.digicert.BCb8yQ0fg8.exe, 00000000.00000002.1695863530.0000000004763000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.certum.pl/CPS0BCb8yQ0fg8.exefalse
                                                                                    		high
                                                                                    https://domains.google.com/suggest/flowchromecache_55.5.drfalse
                                                                                      		high
                                                                                      https://clients6.google.comchromecache_55.5.drfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        239.255.255.250
                                                                                        		unknownReserved
                                                                                        		unknownunknownfalse
                                                                                        64.233.180.99
                                                                                        		www.google.comUnited States
                                                                                        		15169GOOGLEUSfalse

                                                                                        Private

                                                                                        IP
                                                                                        192.168.2.4
                                                                                        192.168.2.6

                                                                                        General Information

                                                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                                                        Analysis ID:1434650
                                                                                        Start date and time:2024-05-01 15:46:08 +02:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 5m 30s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:12
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:BCb8yQ0fg8.exe
                                                                                        renamed because original name is a hash value
                                                                                        Original Sample Name:807675A50EE7545E02DAEAC9822842B7.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.evad.winEXE@23/16@4/4
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        • Number of executed functions: 6
                                                                                        • Number of non-executed functions: 42
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 172.253.62.94, 172.253.122.84, 172.253.122.101, 172.253.122.102, 172.253.122.138, 172.253.122.139, 172.253.122.113, 172.253.122.100, 34.104.35.123, 142.251.167.94, 199.232.210.172, 192.229.211.108, 172.253.115.94, 142.251.16.113, 142.251.16.139, 142.251.16.101, 142.251.16.100, 142.251.16.138, 142.251.16.102
                                                                                        • Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com
                                                                                        • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                        • Not all processes where analyzed, report is missing behavior information

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        15:47:21API Interceptor2x Sleep call for process: cmd.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        239.255.255.250https://streamviewspan.com/~am~/index.phpGet hashmaliciousHTMLPhisherBrowse
                                                                                          https://981243.jimdosite.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                            SecuriteInfo.com.Trojan.PackedNET.2603.717.7438.exeGet hashmaliciousUnknownBrowse
                                                                                              https://ubhealth-my.sharepoint.com/:w:/g/personal/jenny_mason_ubhealthcare_co_uk/ESn5QzrvawJPuXYR4RRACvIBMPWOZSDndKyB6LYDahXWFw?e=4%3aXHPcee&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                                file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                  http://www.corpsierramadre.com/Get hashmaliciousUnknownBrowse
                                                                                                    MegaUniversesMQ.exeGet hashmaliciousUnknownBrowse
                                                                                                      https://app.box.com/s/zv46ei45hi6oa2wwz7joeovipn4mmwjcGet hashmaliciousUnknownBrowse
                                                                                                        SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                          SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            plus.l.google.comSecuriteInfo.com.Trojan.PackedNET.2603.717.7438.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 142.251.163.101
                                                                                                            https://ubhealth-my.sharepoint.com/:w:/g/personal/jenny_mason_ubhealthcare_co_uk/ESn5QzrvawJPuXYR4RRACvIBMPWOZSDndKyB6LYDahXWFw?e=4%3aXHPcee&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                                            • 142.251.111.100
                                                                                                            file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                            • 142.251.111.100
                                                                                                            SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                            • 142.251.16.139
                                                                                                            SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                            • 172.253.115.100
                                                                                                            http://t.co/hcEcRRZbgBGet hashmaliciousHTMLPhisherBrowse
                                                                                                            • 172.253.122.139
                                                                                                            https://doc-46.jimdosite.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                            • 172.253.122.139
                                                                                                            fBirvIlaOJ.exeGet hashmaliciousRedLineBrowse
                                                                                                            • 172.253.122.101
                                                                                                            SecuriteInfo.com.Win64.CoinminerX-gen.1250.29250.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 172.253.122.139
                                                                                                            SecuriteInfo.com.Win64.CoinminerX-gen.1250.29250.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 172.253.122.100

                                                                                                            ASNs

                                                                                                            No context

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            28a2c9bd18a11de089ef85a160da29e4SecuriteInfo.com.Trojan.PackedNET.2603.717.7438.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 23.209.58.93
                                                                                                            • 20.12.23.50
                                                                                                            https://ubhealth-my.sharepoint.com/:w:/g/personal/jenny_mason_ubhealthcare_co_uk/ESn5QzrvawJPuXYR4RRACvIBMPWOZSDndKyB6LYDahXWFw?e=4%3aXHPcee&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                                            • 23.209.58.93
                                                                                                            • 20.12.23.50
                                                                                                            file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                            • 23.209.58.93
                                                                                                            • 20.12.23.50
                                                                                                            http://www.corpsierramadre.com/Get hashmaliciousUnknownBrowse
                                                                                                            • 23.209.58.93
                                                                                                            • 20.12.23.50
                                                                                                            MegaUniversesMQ.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 23.209.58.93
                                                                                                            • 20.12.23.50
                                                                                                            https://app.box.com/s/zv46ei45hi6oa2wwz7joeovipn4mmwjcGet hashmaliciousUnknownBrowse
                                                                                                            • 23.209.58.93
                                                                                                            • 20.12.23.50
                                                                                                            SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                            • 23.209.58.93
                                                                                                            • 20.12.23.50
                                                                                                            SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                            • 23.209.58.93
                                                                                                            • 20.12.23.50
                                                                                                            https://autode.sk/44qi2l0Get hashmaliciousUnknownBrowse
                                                                                                            • 23.209.58.93
                                                                                                            • 20.12.23.50
                                                                                                            https://autode.sk/44qi2l0Get hashmaliciousUnknownBrowse
                                                                                                            • 23.209.58.93
                                                                                                            • 20.12.23.50

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\Users\user\AppData\Local\Temp\8028f380

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\BCb8yQ0fg8.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):882182
                                                                                                            Entropy (8bit):7.392188234423486
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:wvX8Uhe8KVoa5IzW4XzwSs/SLuOzwEmSj:wvX8UhfKVP5Y1zwv/K/zwzSj
                                                                                                            MD5:A2372FC8FA9DEBDBCEC130A674F422FC
                                                                                                            SHA1:2EFBDFEF6C96752AF76DC82611603D88DD436B00
                                                                                                            SHA-256:CA22A18DF93B2AF7139D4797930D96EBB9E63ABB637DC9179773A6566C010291
                                                                                                            SHA-512:2B4C85C2A681070B5B712CD184AC0C5C9A3A5BD105668C418A2F9D2A31684845F11BF0DFEB91A035098F3D795521D5AF30F5E958311D4340CCE531DDFBCE14B6
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview:f..e..e..e..d..!..E..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..@..!..@.........2.....6...............6......e..e..e..e..e..e..e..e..e..e..e..&......... ...e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..&......,.....e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..@..!...9......... ........e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e......K...W...e..e..e..e..e..e..e..e..e..e..

                                                                                                            C:\Users\user\AppData\Local\Temp\cgfmw

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):157184
                                                                                                            Entropy (8bit):6.191741252019896
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:YvtlGc6fgpJSG61doHN4N4QSUukO/yIwoeL1DGBJuOb:YvLJryZoI4RvkOKEnuG
                                                                                                            MD5:6B75CEC8F96DAF072098B3D3859D3080
                                                                                                            SHA1:A6838615614C855E21D63E78E2C50972F400D4C8
                                                                                                            SHA-256:0F4A87E94883051FD2E41F48168F0A587B1A509CE03530BB8D62C26FF669F99A
                                                                                                            SHA-512:5053A4B2F03055A959965ACC92678959DBC3D3939CAC7C679C9E40616CB29DBECA51D5848CC002E477D1CF691677828DA4452AC0C97404B4B0AA356AD2AD3C8F
                                                                                                            Malicious:true
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: C:\Users\user\AppData\Local\Temp\cgfmw, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: C:\Users\user\AppData\Local\Temp\cgfmw, Author: Joe Security
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            Reputation:low
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.dZ............a.......a.......a...5...............................Z...a.......a.......Rich............................PE..L.....fR......................!......6............@...........................#...........@.....................................<............................`#.. ...................................................................................text............................... ....rdata...q.......r..................@..@.data...,+!..0......................@....reloc...@...`#..B..................@..Bhypon.........#......V..............@...................................................................................................................................................................................................................................................................................................................

                                                                                                            Chrome Cache Entry: 49

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            File Type:ASCII text, with very long lines (1746)
                                                                                                            Category:downloaded
                                                                                                            Size (bytes):163891
                                                                                                            Entropy (8bit):5.55061820245277
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:S0eiNiuzs8v4HHKWY8s1BgP4IDQ9GURWu8zylA/u8PemUPhDlaY/ADiZ65LpK629:S0eMhzvwHHKWY8s1BgP4IDQ9GURWu8UD
                                                                                                            MD5:0282D5C4C6038FCEB2FF8607EDAC81A4
                                                                                                            SHA1:62EBF05C33F8A3115C208BB4D5CE9B38F6D06447
                                                                                                            SHA-256:AAAF17E8ED9C8DD5D1B69C8BBB617600A768256654C076F760E09C6047973371
                                                                                                            SHA-512:E21D25042E41527B62E80F9D9B82B85B915BA6D0698B2FFA5D8D59115F764770D1DE2108B72D82D57BFB7A8D4406FB53D091C1DC6D8BD03BED3BCA29CEFD0EAD
                                                                                                            Malicious:false
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            URL:"https://www.gstatic.com/og/_/js/k=og.qtm.en_US.oT1FwJRCVC4.2019.O/rt=j/m=q_dnp,qmd,qcwid,qapid,qald,q_dg/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/rs=AA2YrTvBynad-nWEy1xIb9j1w6LpLOF6IQ"
                                                                                                            Preview:this.gbar_=this.gbar_||{};(function(_){var window=this;.try{._.nj=function(a,b,c){return c?a|b:a&~b};_.oj=function(a,b,c,d){a=_.hb(a,b,c,d);return Array.isArray(a)?a:_.lc};_.pj=function(a,b){a=_.nj(a,2,!!(2&b));a=_.nj(a,32,!0);return a=_.nj(a,2048,!1)};_.qj=function(a,b){0===a&&(a=_.pj(a,b));return a=_.nj(a,1,!0)};_.rj=function(a){return!!(2&a)&&!!(4&a)||!!(2048&a)};_.sj=function(a,b,c){32&b&&c||(a=_.nj(a,32,!1));return a};._.tj=function(a,b,c,d,e,f){var g=!!(2&b),h=g?1:2;const k=1===h;h=2===h;e=!!e;f&&(f=!g);g=_.oj(a,b,d);var l=g[_.v]|0;const n=!!(4&l);if(!n){l=_.qj(l,b);var p=g,r=b,t;(t=!!(2&l))&&(r=_.nj(r,2,!0));let C=!t,X=!0,P=0,H=0;for(;P<p.length;P++){const O=_.Sa(p[P],c,r);if(O instanceof c){if(!t){const Fa=!!((O.ma[_.v]|0)&2);C&&(C=!Fa);X&&(X=Fa)}p[H++]=O}}H<P&&(p.length=H);l=_.nj(l,4,!0);l=_.nj(l,16,X);l=_.nj(l,8,C);_.wa(p,l);t&&Object.freeze(p)}c=!!(8&l)||k&&!g.length;if(f&&!c){_.rj(l)&&(g=_.va(g),l=_.pj(l,.b),b=_.gb(a,b,d,g));f=g;c=l;for(p=0;p<f.length;p++)l=f[p],r=_.eb(l),l

                                                                                                            Chrome Cache Entry: 50

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            File Type:ASCII text, with very long lines (786)
                                                                                                            Category:downloaded
                                                                                                            Size (bytes):791
                                                                                                            Entropy (8bit):5.147901415075528
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:1wAvXxj6nBHslgT9lCuABuoB7HHHHHHHYqmffffffo:1wiXxjEKlgZ01BuSEqmffffffo
                                                                                                            MD5:EC2CDBDD01F0DADC0FC3B9CB6B1D7B80
                                                                                                            SHA1:5D7D6DC6B5F7D3092D6A4023948A71CE18DB0DFD
                                                                                                            SHA-256:2946499E234EDB18203D0B2CDDF64591EBDD1575C50497218DB405E2E648D912
                                                                                                            SHA-512:952F3B49D0C063CCA3A939D1872546341D60D31B006AE762206DAC33DD1C8B9E0AC9E150B7CD15948289921878CEF71D6929F74F171D0A19EC1BD2FF5DCF979D
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            URL:https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
                                                                                                            Preview:)]}'.["",["colorado avalanche winnipeg jets","affordable internet","today wordle answer","dave and busters betting arcade games","gray zone warfare tarkov","nyt strands answers","bolingbrook golf club liv golf","youthforia foundation shades"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

                                                                                                            Chrome Cache Entry: 51

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            File Type:ASCII text
                                                                                                            Category:downloaded
                                                                                                            Size (bytes):29
                                                                                                            Entropy (8bit):3.9353986674667634
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:VQAOx/1n:VQAOd1n
                                                                                                            MD5:6FED308183D5DFC421602548615204AF
                                                                                                            SHA1:0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
                                                                                                            SHA-256:4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
                                                                                                            SHA-512:A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
                                                                                                            Malicious:false
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            URL:https://www.google.com/async/newtab_promos
                                                                                                            Preview:)]}'.{"update":{"promos":{}}}

                                                                                                            Chrome Cache Entry: 52

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            File Type:ASCII text, with very long lines (65531)
                                                                                                            Category:downloaded
                                                                                                            Size (bytes):139802
                                                                                                            Entropy (8bit):5.440602720809514
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:yMRA4aKKJXjPInWWt/usD98kiHLnRA0zqevcZ8hhaV+trbbbhYxvdU:e8KJou8TMyez0shCO
                                                                                                            MD5:74F909C06A27C00BE395C0934D522FEA
                                                                                                            SHA1:83E72373A172088FFE239B05304176F466B44521
                                                                                                            SHA-256:BE2CE37C95D54DD5710770A623935305B047A0529D9BF811B31E0FA00EB2B1CA
                                                                                                            SHA-512:A35650094DD91551214F6B5A8E47143AB8B8837F19110C2190BF39E03244BE6A176ABB2DE3C5EE02AFB3A364BCE393027E6C42DE4509D84959FEFF61411A7B05
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            URL:https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
                                                                                                            Preview:)]}'.{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ra gb_ib gb_Ud gb_od\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Id\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_sd gb_ld gb_yd gb_xd\"\u003e\u003cdiv class\u003d\"gb_rd gb_hd\"\u003e\u003cdiv class\u003d\"gb_Pc gb_r\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z\"\u003e\u003c\/path\u003e\u003c\/svg\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Pc gb_Sc gb_r\" aria-label\u003d\"Go back\" title\u003d\"Go back\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M20 11H7.83l5.59-5.59L12 4l-8 8 8 8 1.41-1.

                                                                                                            Chrome Cache Entry: 53

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            File Type:ASCII text, with very long lines (3572), with no line terminators
                                                                                                            Category:downloaded
                                                                                                            Size (bytes):3572
                                                                                                            Entropy (8bit):5.150542995862274
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:RJYrcoiktfqqMghOKTEzNx8BSIMw591g8IOl8u8i8DF+Ks:wkktfqqMghxlg8Ig8u78D2
                                                                                                            MD5:88BC8C86A83B9BD8EDA6FDF225CDC8DD
                                                                                                            SHA1:473D84930F027A365278C15282725A69721F4B18
                                                                                                            SHA-256:47D960E93D9E7AB4C760A09DA0AA5E6549A8355AD5C0BA8476D4269F4FBDB354
                                                                                                            SHA-512:3BC486D908160D297AD3028C27177A9C41A1D87EF29A456058265FAF74A1DA069D3B0578F05A79F866C2DB752D5E0E42D179158BD62251D4FDA601A7CBA7CC4D
                                                                                                            Malicious:false
                                                                                                            URL:"https://www.gstatic.com/og/_/ss/k=og.qtm.T5bVtXo12IQ.L.W.O/m=qmd,qcwid/excm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/ct=zgms/rs=AA2YrTssrVR1lBtzoy_MObv1DSp-vWG36A"
                                                                                                            Preview:.gb_3e{background:rgba(60,64,67,.9);-webkit-border-radius:4px;border-radius:4px;color:#fff;font:500 12px "Roboto",arial,sans-serif;letter-spacing:.8px;line-height:16px;margin-top:4px;min-height:14px;padding:4px 8px;position:absolute;z-index:1000;-webkit-font-smoothing:antialiased}.gb_Hc{text-align:left}.gb_Hc>*{color:#bdc1c6;line-height:16px}.gb_Hc div:first-child{color:white}.gb_qa{background:none;border:1px solid transparent;-webkit-border-radius:50%;border-radius:50%;-webkit-box-sizing:border-box;box-sizing:border-box;cursor:pointer;height:40px;margin:8px;outline:none;padding:1px;position:absolute;right:0;top:0;width:40px}.gb_qa:hover{background-color:rgba(68,71,70,.08)}.gb_qa:focus,.gb_qa:active{background-color:rgba(68,71,70,.12)}.gb_qa:focus-visible{border-color:#0b57d0;outline:1px solid transparent;outline-offset:-1px}.gb_i .gb_qa:hover,.gb_i .gb_qa:focus,.gb_i .gb_qa:active{background-color:rgba(227,227,227,.08)}.gb_i .gb_qa:focus-visible{border-color:#a8c7fa}.gb_ra{-webkit-box

                                                                                                            Chrome Cache Entry: 54

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            File Type:SVG Scalable Vector Graphics image
                                                                                                            Category:downloaded
                                                                                                            Size (bytes):1660
                                                                                                            Entropy (8bit):4.301517070642596
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:A/S9VU5IDhYYmMqPLmumtrYW2DyZ/jTq9J:A2VUSDhYYmM5trYFw/jmD
                                                                                                            MD5:554640F465EB3ED903B543DAE0A1BCAC
                                                                                                            SHA1:E0E6E2C8939008217EB76A3B3282CA75F3DC401A
                                                                                                            SHA-256:99BF4AA403643A6D41C028E5DB29C79C17CBC815B3E10CD5C6B8F90567A03E52
                                                                                                            SHA-512:462198E2B69F72F1DC9743D0EA5EED7974A035F24600AA1C2DE0211D978FF0795370560CBF274CCC82C8AC97DC3706C753168D4B90B0B81AE84CC922C055CFF0
                                                                                                            Malicious:false
                                                                                                            URL:https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
                                                                                                            Preview:<svg xmlns="http://www.w3.org/2000/svg" width="74" height="24" viewBox="0 0 74 24"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"/><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"/><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3

                                                                                                            Chrome Cache Entry: 55

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            File Type:ASCII text, with very long lines (2124)
                                                                                                            Category:downloaded
                                                                                                            Size (bytes):121628
                                                                                                            Entropy (8bit):5.506662476672723
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:QI9yvwslCsrCF9f/U2Dj3Fkk7rEehA5L1kx:l9ygsrieDkVaL1kx
                                                                                                            MD5:F46ACD807A10216E6EEE8EA51E0F14D6
                                                                                                            SHA1:4702F47070F7046689432DCF605F11364BC0FBED
                                                                                                            SHA-256:D6B84873D27E7E83CF5184AAEF778F1CCB896467576CD8AF2CAD09B31B3C6086
                                                                                                            SHA-512:811263DC85C8DAA3A6E5D8A002CCCB953CD01E6A77797109835FE8B07CABE0DEE7EB126274E84266229880A90782B3B016BA034E31F0E3B259BF9E66CA797028
                                                                                                            Malicious:false
                                                                                                            URL:"https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0"
                                                                                                            Preview:gapi.loaded_0(function(_){var window=this;._._F_toggles_initialize=function(a){("undefined"!==typeof globalThis?globalThis:"undefined"!==typeof self?self:this)._F_toggles=a||[]};(0,_._F_toggles_initialize)([0x20000, ]);.var ba,ca,da,na,pa,va,wa,za;ba=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}};ca="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;return a};.da=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("a");};_.ma=da(this);na=function(a,b){if(b)a:{var c=_.ma;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&null!=b&&ca(c,a,{configurable:!0,writable:!0,value:b})}};.na("Symbol",function(a){if(a)re

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):7.708245175318212
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:BCb8yQ0fg8.exe
                                                                                                            File size:944'280 bytes
                                                                                                            MD5:807675a50ee7545e02daeac9822842b7
                                                                                                            SHA1:967094e1ef9155a031687396ba99855e54870612
                                                                                                            SHA256:2895f26ebeb8334731591ac868e9ab554a3568632e3c62e802739e5d0fc38d88
                                                                                                            SHA512:12a928dc23e7fd03996e5d41d8fce1d091b0fa979d379e63e6e89d58440f8a21a809a646e1c6431eda68d71515e1aed06219c4f3d8c0c86e25724b1d6e5af5b4
                                                                                                            SSDEEP:24576:e8inPEBCZN5hoVlnJXzJ/SEVSoMAALia4:Dg5BuxF/SRF4
                                                                                                            TLSH:4A15012175E54420E0A3023F48BDABA1857AAF718FB1F0CFA3447DAE5A3D9C1E930756
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8Ae.Y/6.Y/6.Y/6.%+7.Y/6.%,7.Y/6.%*7.Y/6.!.6.Y/6.!.7.Y/6.Y.69Y/6%%&7.Y/6%%-7.Y/6Rich.Y/6........PE..L......c...............".6.

                                                                                                            File Icon

                                                                                                            Icon Hash:2771a96949e8512b

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x410590
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:true
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x638F960F [Tue Dec 6 19:20:47 2022 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:6
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:6
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:6
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:5f7bf97ec922bad10bc4de737ab257ee

                                                                                                            Authenticode Signature

                                                                                                            Signature Valid:false
                                                                                                            Signature Issuer:CN=Certum Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                            Error Number:-2146869232
                                                                                                            Not Before, Not After
                                                                                                            • 24/08/2022 07:38:06 24/08/2023 07:38:05
                                                                                                            Subject Chain
                                                                                                            • E=info@exploitox.de, CN="Open Source Developer, Jonas G\xfcnner", O=Open Source Developer, L=Uelzen, S=Niedersachsen, C=DE
                                                                                                            Version:3
                                                                                                            Thumbprint MD5:9107F754D755BA933AC47DFCE107DFB6
                                                                                                            Thumbprint SHA-1:35F4E53A88751BBE67EAA097513E3DB1AD2F49E3
                                                                                                            Thumbprint SHA-256:719B615DB1499BC948B5E7487C43B8BEB824AE62C576F7ADACC81A37CD8B3B14
                                                                                                            Serial:6606F76CF00BC54EB3260E6E1BC70074

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            call 00007FED0131F5F2h
                                                                                                            jmp 00007FED0131EE4Dh
                                                                                                            mov ecx, dword ptr [ebp-0Ch]
                                                                                                            mov dword ptr fs:[00000000h], ecx
                                                                                                            pop ecx
                                                                                                            pop edi
                                                                                                            pop edi
                                                                                                            pop esi
                                                                                                            pop ebx
                                                                                                            mov esp, ebp
                                                                                                            pop ebp
                                                                                                            push ecx
                                                                                                            ret
                                                                                                            push eax
                                                                                                            push dword ptr fs:[00000000h]
                                                                                                            lea eax, dword ptr [esp+0Ch]
                                                                                                            sub esp, dword ptr [esp+0Ch]
                                                                                                            push ebx
                                                                                                            push esi
                                                                                                            push edi
                                                                                                            mov dword ptr [eax], ebp
                                                                                                            mov ebp, eax
                                                                                                            mov eax, dword ptr [0041D010h]
                                                                                                            xor eax, ebp
                                                                                                            push eax
                                                                                                            push dword ptr [ebp-04h]
                                                                                                            mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                            lea eax, dword ptr [ebp-0Ch]
                                                                                                            mov dword ptr fs:[00000000h], eax
                                                                                                            ret
                                                                                                            push eax
                                                                                                            push dword ptr fs:[00000000h]
                                                                                                            lea eax, dword ptr [esp+0Ch]
                                                                                                            sub esp, dword ptr [esp+0Ch]
                                                                                                            push ebx
                                                                                                            push esi
                                                                                                            push edi
                                                                                                            mov dword ptr [eax], ebp
                                                                                                            mov ebp, eax
                                                                                                            mov eax, dword ptr [0041D010h]
                                                                                                            xor eax, ebp
                                                                                                            push eax
                                                                                                            mov dword ptr [ebp-10h], esp
                                                                                                            push dword ptr [ebp-04h]
                                                                                                            mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                            lea eax, dword ptr [ebp-0Ch]
                                                                                                            mov dword ptr fs:[00000000h], eax
                                                                                                            ret
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            and dword ptr [0041DA48h], 00000000h
                                                                                                            sub esp, 24h
                                                                                                            or dword ptr [0041D020h], 01h
                                                                                                            push 0000000Ah
                                                                                                            call dword ptr [004150BCh]
                                                                                                            test eax, eax
                                                                                                            je 00007FED0131F192h
                                                                                                            and dword ptr [ebp-10h], 00000000h
                                                                                                            xor eax, eax
                                                                                                            push ebx
                                                                                                            push esi
                                                                                                            push edi
                                                                                                            xor ecx, ecx
                                                                                                            lea edi, dword ptr [ebp-24h]
                                                                                                            push ebx
                                                                                                            cpuid
                                                                                                            mov esi, ebx

                                                                                                            Rich Headers

                                                                                                            Programming Language:
                                                                                                            • [IMP] VS2008 SP1 build 30729

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1b4400x104.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e0000xc75be.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xe40000x2898
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xe60000x115c.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x194900x54.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x195000x18.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x193d00x40.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x150000x1fc.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x10000x1353a0x13600bf2ff065a6f650143eeda7db528b6c35False0.5329637096774194data6.792453781810886IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rdata0x150000x709a0x720052bee74c9772c70a6f8907b529f30523False0.3418311403508772OpenPGP Public Key4.430638903645443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .data0x1d0000xed80xa006ce128b02d8927ee9b06ec7d2d722258False0.1875DOS executable (block device driver \377\377\377\377N)2.4040749330890847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .rsrc0x1e0000xc75be0xc76006ca874172c252530e617f978b3eee543False0.8703541340125391data7.767515223848266IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0xe60000x12400x1400e6dfe2ef8827a2d65c8819991629ace5False0.7158203125data6.1715723164120195IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            LMM0x1e1800xb668ePNG image data, 1112 x 688, 8-bit/color RGBA, non-interlaced0.9406718865020411
                                                                                                            RT_ICON0xd48100x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 12368 x 12368 px/m0.09915118892700817
                                                                                                            RT_GROUP_ICON0xe50380x14data1.15
                                                                                                            RT_VERSION0xe504c0x388data0.43694690265486724
                                                                                                            RT_MANIFEST0xe53d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            KERNEL32.dllFindNextFileW, GetCurrentProcess, GetModuleHandleExW, GetModuleFileNameW, LeaveCriticalSection, InitializeCriticalSection, GetEnvironmentVariableW, FindClose, MultiByteToWideChar, GetLastError, GetFileAttributesExW, GetFullPathNameW, GetProcAddress, DeleteCriticalSection, WideCharToMultiByte, IsWow64Process, LoadLibraryExW, FreeLibrary, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, EnterCriticalSection, FindFirstFileExW, OutputDebugStringW, LoadLibraryA, GetModuleHandleW, InitializeCriticalSectionAndSpinCount, SetLastError, RaiseException, RtlUnwind, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, IsDebuggerPresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsProcessorFeaturePresent, LCMapStringEx, DecodePointer, EncodePointer, InitializeCriticalSectionEx, GetStringTypeW
                                                                                                            USER32.dllMessageBoxW
                                                                                                            SHELL32.dllShellExecuteW
                                                                                                            ADVAPI32.dllRegOpenKeyExW, RegGetValueW, DeregisterEventSource, RegisterEventSourceW, ReportEventW, RegCloseKey
                                                                                                            api-ms-win-crt-runtime-l1-1-0.dll_crt_atexit, _invalid_parameter_noinfo_noreturn, __p___argc, __p___wargv, _exit, exit, _initterm_e, _errno, _initterm, _get_initial_wide_environment, _c_exit, _configure_wide_argv, _controlfp_s, _set_app_type, _register_onexit_function, _register_thread_local_exe_atexit_callback, _initialize_onexit_table, abort, _cexit, _initialize_wide_environment, terminate, _seh_filter_exe
                                                                                                            api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __stdio_common_vsprintf_s, setvbuf, __stdio_common_vswprintf, __acrt_iob_func, fputwc, __p__commode, fputws, __stdio_common_vsnwprintf_s, _wfsopen, fflush, __stdio_common_vfwprintf
                                                                                                            api-ms-win-crt-heap-l1-1-0.dll_callnewh, _set_new_mode, free, malloc, calloc
                                                                                                            api-ms-win-crt-string-l1-1-0.dllwcsnlen, strcpy_s, _wcsdup, strcspn, wcsncmp, toupper
                                                                                                            api-ms-win-crt-convert-l1-1-0.dllwcstoul, _wtoi
                                                                                                            api-ms-win-crt-locale-l1-1-0.dll__pctype_func, _unlock_locales, _lock_locales, ___lc_locale_name_func, ___lc_codepage_func, ___mb_cur_max_func, _configthreadlocale, setlocale, localeconv
                                                                                                            api-ms-win-crt-math-l1-1-0.dll__setusermatherr, frexp
                                                                                                            api-ms-win-crt-time-l1-1-0.dll_gmtime64_s, wcsftime, _time64

                                                                                                            Network Behavior

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            May 1, 2024 15:46:50.850363970 CEST49678443192.168.2.4104.46.162.224
                                                                                                            May 1, 2024 15:46:52.884983063 CEST49675443192.168.2.4173.222.162.32
                                                                                                            May 1, 2024 15:47:02.040949106 CEST49735443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.041002035 CEST4434973564.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.041058064 CEST49735443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.042857885 CEST49735443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.042867899 CEST4434973564.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.045861959 CEST49738443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.045901060 CEST4434973864.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.045958042 CEST49738443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.046118975 CEST49738443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.046134949 CEST4434973864.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.047179937 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.047219992 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.047271013 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.048001051 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.048018932 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.116233110 CEST49740443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.116277933 CEST4434974064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.116343021 CEST49740443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.116691113 CEST49740443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.116703033 CEST4434974064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.242271900 CEST4434973564.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.245043993 CEST4434973864.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.246571064 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.250330925 CEST49735443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.250339985 CEST4434973564.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.250624895 CEST49738443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.250644922 CEST4434973864.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.251226902 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.251245022 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.251693010 CEST4434973864.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.251712084 CEST4434973564.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.251768112 CEST49738443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.251847029 CEST49735443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.252278090 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.252346992 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.253391981 CEST49735443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.253458023 CEST4434973564.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.259613991 CEST49738443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.259686947 CEST4434973864.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.261537075 CEST49735443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.261544943 CEST4434973564.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.261750937 CEST49738443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.261765003 CEST4434973864.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.262063026 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.262137890 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.263127089 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.263134956 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.311614037 CEST4434974064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.312283993 CEST49740443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.312352896 CEST4434974064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.312391043 CEST49735443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.312509060 CEST49738443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.312510014 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.313358068 CEST4434974064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.313443899 CEST49740443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.314203024 CEST49740443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.314280033 CEST4434974064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.314331055 CEST49740443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.314336061 CEST4434974064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.365053892 CEST49740443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.455714941 CEST4434973564.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.455751896 CEST4434973564.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.455791950 CEST49735443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.455801964 CEST4434973564.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.460051060 CEST4434973564.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.460097075 CEST49735443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.468164921 CEST49738443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.468281984 CEST4434973864.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.468331099 CEST49738443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.474024057 CEST49735443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.474030972 CEST4434973564.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.484549046 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.484589100 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.484626055 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.484631062 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.484653950 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.484688044 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.490719080 CEST49675443192.168.2.4173.222.162.32
                                                                                                            May 1, 2024 15:47:02.490967035 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.490998030 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.491005898 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.491013050 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.491048098 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.497541904 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.499299049 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.499331951 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.499345064 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.499351978 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.499391079 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.505973101 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.512568951 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.512613058 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.512620926 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.540143967 CEST4434974064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.540338993 CEST4434974064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.540384054 CEST49740443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.540932894 CEST49740443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.540950060 CEST4434974064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.567986965 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.579252958 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.582474947 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.582509041 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.582526922 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.582535982 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.582577944 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.589077950 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.595729113 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.595778942 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.595786095 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.602452993 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.602477074 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.602502108 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.602509975 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.602546930 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.609042883 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.615600109 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.615628004 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.615653992 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.615662098 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.615704060 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.621867895 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.628217936 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.628238916 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.628262997 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.628272057 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.628309965 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.634423018 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.640680075 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.640726089 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.640733957 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.647020102 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.647062063 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.647069931 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.653318882 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.653362989 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.653371096 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.659467936 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.659517050 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.659524918 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.674096107 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.674148083 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.674156904 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.677174091 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.677217007 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.677225113 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.683237076 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.683279037 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.683286905 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.688945055 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.689006090 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.689014912 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.698942900 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.699011087 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.699018002 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.700179100 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.700242043 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.700247049 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.708189011 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.708220959 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.708262920 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.708271027 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.708313942 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.712152958 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.716155052 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.716206074 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.716244936 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.716253996 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.716298103 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.720155001 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.724147081 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.724211931 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.724219084 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.728173018 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.728229046 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.728235960 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.731970072 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.732034922 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.732043028 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.734266043 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.734318018 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.734328985 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.738711119 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.738754988 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.738765001 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.742940903 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.742995977 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.743005991 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.747236013 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.747298956 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.747311115 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.751353025 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.751408100 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.751420021 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.755299091 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.755351067 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.755363941 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.759222984 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.759284019 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.759293079 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.763071060 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.763137102 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.763147116 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.766716957 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.766769886 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.766781092 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.770382881 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.770436049 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.770447969 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.775834084 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.775876999 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.775877953 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.775890112 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.775929928 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.779508114 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.781805038 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.781843901 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.781876087 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.781887054 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.781929016 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.784092903 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.786375046 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.786411047 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.786418915 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.786432981 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.786473036 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.788696051 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.790909052 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.790940046 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.790955067 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.790966988 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.791004896 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.793167114 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.795494080 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.795526981 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.795537949 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.795548916 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.795587063 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.797687054 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.799882889 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.799910069 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.799927950 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.799936056 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.799969912 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.802135944 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.804513931 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.804558992 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.804569006 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.805529118 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.805560112 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.805573940 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.805582047 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.805620909 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.805629015 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.805712938 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:02.805757046 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.939783096 CEST49739443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:02.939848900 CEST4434973964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:06.234628916 CEST49749443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:06.234663010 CEST4434974964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:06.234720945 CEST49749443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:06.235040903 CEST49749443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:06.235064030 CEST4434974964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:06.429635048 CEST4434974964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:06.429877996 CEST49749443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:06.429894924 CEST4434974964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:06.430221081 CEST4434974964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:06.430497885 CEST49749443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:06.430561066 CEST4434974964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:06.547780991 CEST49749443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:08.343822002 CEST49750443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:08.343868971 CEST4434975023.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:08.343954086 CEST49750443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:08.352900028 CEST49750443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:08.352912903 CEST4434975023.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:08.549704075 CEST4434975023.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:08.549798012 CEST49750443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:08.553047895 CEST49750443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:08.553055048 CEST4434975023.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:08.553265095 CEST4434975023.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:08.587033033 CEST49750443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:08.632114887 CEST4434975023.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:08.770838022 CEST4434975023.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:08.770890951 CEST4434975023.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:08.770939112 CEST49750443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:08.771018982 CEST49750443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:08.771033049 CEST4434975023.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:08.771053076 CEST49750443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:08.771058083 CEST4434975023.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:08.812597990 CEST49751443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:08.812630892 CEST4434975123.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:08.812690973 CEST49751443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:08.812920094 CEST49751443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:08.812931061 CEST4434975123.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:09.028734922 CEST4434975123.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:09.028810978 CEST49751443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:09.030199051 CEST49751443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:09.030210018 CEST4434975123.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:09.030463934 CEST4434975123.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:09.031804085 CEST49751443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:09.076119900 CEST4434975123.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:09.238280058 CEST4434975123.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:09.238356113 CEST4434975123.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:09.238399982 CEST49751443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:09.239190102 CEST49751443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:09.239209890 CEST4434975123.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:09.239223003 CEST49751443192.168.2.423.209.58.93
                                                                                                            May 1, 2024 15:47:09.239228010 CEST4434975123.209.58.93192.168.2.4
                                                                                                            May 1, 2024 15:47:14.882184029 CEST49752443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:14.882203102 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:14.882261992 CEST49752443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:14.883127928 CEST49752443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:14.883140087 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:15.192086935 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:15.192178965 CEST49752443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:15.195040941 CEST49752443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:15.195053101 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:15.195393085 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:15.239653111 CEST49752443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:15.561985970 CEST49752443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:15.608113050 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:15.763243914 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:15.763262033 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:15.763267994 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:15.763278008 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:15.763309956 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:15.763345003 CEST49752443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:15.763380051 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:15.763396025 CEST49752443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:15.763607979 CEST49752443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:15.763662100 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:15.763715982 CEST49752443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:15.763721943 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:15.763735056 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:15.763784885 CEST49752443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:15.991794109 CEST49752443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:15.991821051 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:15.991832018 CEST49752443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:15.991837978 CEST4434975220.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:16.443156004 CEST4434974964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:16.443217993 CEST4434974964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:16.443300009 CEST49749443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:17.770047903 CEST49749443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:47:17.770067930 CEST4434974964.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:47:40.427052021 CEST4973280192.168.2.423.53.35.105
                                                                                                            May 1, 2024 15:47:40.427107096 CEST4972780192.168.2.423.53.35.103
                                                                                                            May 1, 2024 15:47:40.427148104 CEST4972680192.168.2.423.53.35.111
                                                                                                            May 1, 2024 15:47:40.427187920 CEST4972580192.168.2.423.53.35.104
                                                                                                            May 1, 2024 15:47:40.521204948 CEST804972623.53.35.111192.168.2.4
                                                                                                            May 1, 2024 15:47:40.521218061 CEST804972723.53.35.103192.168.2.4
                                                                                                            May 1, 2024 15:47:40.521279097 CEST4972680192.168.2.423.53.35.111
                                                                                                            May 1, 2024 15:47:40.521296024 CEST4972780192.168.2.423.53.35.103
                                                                                                            May 1, 2024 15:47:40.521528006 CEST804972523.53.35.104192.168.2.4
                                                                                                            May 1, 2024 15:47:40.521572113 CEST4972580192.168.2.423.53.35.104
                                                                                                            May 1, 2024 15:47:40.521769047 CEST804973223.53.35.105192.168.2.4
                                                                                                            May 1, 2024 15:47:40.521810055 CEST4973280192.168.2.423.53.35.105
                                                                                                            May 1, 2024 15:47:55.461898088 CEST49758443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:55.461925983 CEST4434975820.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:55.461977959 CEST49758443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:55.462344885 CEST49758443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:55.462357044 CEST4434975820.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:55.768177032 CEST4434975820.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:55.768292904 CEST49758443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:55.775103092 CEST49758443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:55.775108099 CEST4434975820.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:55.775348902 CEST4434975820.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:55.787718058 CEST49758443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:55.832117081 CEST4434975820.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:56.065115929 CEST4434975820.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:56.065135956 CEST4434975820.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:56.065154076 CEST4434975820.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:56.065205097 CEST49758443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:56.065242052 CEST4434975820.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:56.065270901 CEST4434975820.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:56.065294981 CEST49758443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:56.065325022 CEST4434975820.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:56.065342903 CEST49758443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:56.065373898 CEST49758443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:56.072117090 CEST49758443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:56.072132111 CEST4434975820.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:47:56.072173119 CEST49758443192.168.2.420.12.23.50
                                                                                                            May 1, 2024 15:47:56.072177887 CEST4434975820.12.23.50192.168.2.4
                                                                                                            May 1, 2024 15:48:06.287913084 CEST49760443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:48:06.287940979 CEST4434976064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:48:06.288033009 CEST49760443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:48:06.288229942 CEST49760443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:48:06.288242102 CEST4434976064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:48:06.799230099 CEST4434976064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:48:06.799506903 CEST49760443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:48:06.799541950 CEST4434976064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:48:06.799864054 CEST4434976064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:48:06.800157070 CEST49760443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:48:06.800225973 CEST4434976064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:48:06.849004984 CEST49760443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:48:09.896316051 CEST4972380192.168.2.423.199.71.185
                                                                                                            May 1, 2024 15:48:09.896400928 CEST4972480192.168.2.472.21.81.240
                                                                                                            May 1, 2024 15:48:09.990397930 CEST804972472.21.81.240192.168.2.4
                                                                                                            May 1, 2024 15:48:09.990510941 CEST4972480192.168.2.472.21.81.240
                                                                                                            May 1, 2024 15:48:09.990557909 CEST804972323.199.71.185192.168.2.4
                                                                                                            May 1, 2024 15:48:09.990616083 CEST4972380192.168.2.423.199.71.185
                                                                                                            May 1, 2024 15:48:16.797683001 CEST4434976064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:48:16.797746897 CEST4434976064.233.180.99192.168.2.4
                                                                                                            May 1, 2024 15:48:16.797792912 CEST49760443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:48:18.734056950 CEST49760443192.168.2.464.233.180.99
                                                                                                            May 1, 2024 15:48:18.734082937 CEST4434976064.233.180.99192.168.2.4

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            May 1, 2024 15:47:01.694837093 CEST53631871.1.1.1192.168.2.4
                                                                                                            May 1, 2024 15:47:01.897485018 CEST5428853192.168.2.41.1.1.1
                                                                                                            May 1, 2024 15:47:01.897897005 CEST6187053192.168.2.41.1.1.1
                                                                                                            May 1, 2024 15:47:01.905474901 CEST53526541.1.1.1192.168.2.4
                                                                                                            May 1, 2024 15:47:01.994194031 CEST53618701.1.1.1192.168.2.4
                                                                                                            May 1, 2024 15:47:01.995353937 CEST53542881.1.1.1192.168.2.4
                                                                                                            May 1, 2024 15:47:02.617317915 CEST53651091.1.1.1192.168.2.4
                                                                                                            May 1, 2024 15:47:04.772463083 CEST53569711.1.1.1192.168.2.4
                                                                                                            May 1, 2024 15:47:05.512001991 CEST5529153192.168.2.41.1.1.1
                                                                                                            May 1, 2024 15:47:05.512125015 CEST4969853192.168.2.41.1.1.1
                                                                                                            May 1, 2024 15:47:05.607254982 CEST53496981.1.1.1192.168.2.4
                                                                                                            May 1, 2024 15:47:05.607537031 CEST53552911.1.1.1192.168.2.4
                                                                                                            May 1, 2024 15:47:21.583406925 CEST138138192.168.2.4192.168.2.255
                                                                                                            May 1, 2024 15:47:24.540198088 CEST53609001.1.1.1192.168.2.4
                                                                                                            May 1, 2024 15:47:43.696841955 CEST53602241.1.1.1192.168.2.4
                                                                                                            May 1, 2024 15:48:01.590617895 CEST53604761.1.1.1192.168.2.4
                                                                                                            May 1, 2024 15:48:07.241719961 CEST53584581.1.1.1192.168.2.4
                                                                                                            May 1, 2024 15:48:29.211852074 CEST53595921.1.1.1192.168.2.4

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            May 1, 2024 15:47:01.897485018 CEST192.168.2.41.1.1.10xe605Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                            May 1, 2024 15:47:01.897897005 CEST192.168.2.41.1.1.10xc272Standard query (0)www.google.com65IN (0x0001)false
                                                                                                            May 1, 2024 15:47:05.512001991 CEST192.168.2.41.1.1.10xc80dStandard query (0)apis.google.comA (IP address)IN (0x0001)false
                                                                                                            May 1, 2024 15:47:05.512125015 CEST192.168.2.41.1.1.10x47b6Standard query (0)apis.google.com65IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            May 1, 2024 15:47:01.994194031 CEST1.1.1.1192.168.2.40xc272No error (0)www.google.com65IN (0x0001)false
                                                                                                            May 1, 2024 15:47:01.995353937 CEST1.1.1.1192.168.2.40xe605No error (0)www.google.com64.233.180.99A (IP address)IN (0x0001)false
                                                                                                            May 1, 2024 15:47:01.995353937 CEST1.1.1.1192.168.2.40xe605No error (0)www.google.com64.233.180.106A (IP address)IN (0x0001)false
                                                                                                            May 1, 2024 15:47:01.995353937 CEST1.1.1.1192.168.2.40xe605No error (0)www.google.com64.233.180.103A (IP address)IN (0x0001)false
                                                                                                            May 1, 2024 15:47:01.995353937 CEST1.1.1.1192.168.2.40xe605No error (0)www.google.com64.233.180.147A (IP address)IN (0x0001)false
                                                                                                            May 1, 2024 15:47:01.995353937 CEST1.1.1.1192.168.2.40xe605No error (0)www.google.com64.233.180.104A (IP address)IN (0x0001)false
                                                                                                            May 1, 2024 15:47:01.995353937 CEST1.1.1.1192.168.2.40xe605No error (0)www.google.com64.233.180.105A (IP address)IN (0x0001)false
                                                                                                            May 1, 2024 15:47:05.607254982 CEST1.1.1.1192.168.2.40x47b6No error (0)apis.google.complus.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                                                            May 1, 2024 15:47:05.607537031 CEST1.1.1.1192.168.2.40xc80dNo error (0)apis.google.complus.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                                                            May 1, 2024 15:47:05.607537031 CEST1.1.1.1192.168.2.40xc80dNo error (0)plus.l.google.com142.251.16.100A (IP address)IN (0x0001)false
                                                                                                            May 1, 2024 15:47:05.607537031 CEST1.1.1.1192.168.2.40xc80dNo error (0)plus.l.google.com142.251.16.138A (IP address)IN (0x0001)false
                                                                                                            May 1, 2024 15:47:05.607537031 CEST1.1.1.1192.168.2.40xc80dNo error (0)plus.l.google.com142.251.16.113A (IP address)IN (0x0001)false
                                                                                                            May 1, 2024 15:47:05.607537031 CEST1.1.1.1192.168.2.40xc80dNo error (0)plus.l.google.com142.251.16.139A (IP address)IN (0x0001)false
                                                                                                            May 1, 2024 15:47:05.607537031 CEST1.1.1.1192.168.2.40xc80dNo error (0)plus.l.google.com142.251.16.101A (IP address)IN (0x0001)false
                                                                                                            May 1, 2024 15:47:05.607537031 CEST1.1.1.1192.168.2.40xc80dNo error (0)plus.l.google.com142.251.16.102A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • www.google.com
                                                                                                            • fs.microsoft.com
                                                                                                            • slscr.update.microsoft.com

                                                                                                            HTTPS Proxied Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.44973564.233.180.994437588C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-05-01 13:47:02 UTC615OUTGET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1
                                                                                                            Host: www.google.com
                                                                                                            Connection: keep-alive
                                                                                                            X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=
                                                                                                            Sec-Fetch-Site: none
                                                                                                            Sec-Fetch-Mode: no-cors
                                                                                                            Sec-Fetch-Dest: empty
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            2024-05-01 13:47:02 UTC1703INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 01 May 2024 13:47:02 GMT
                                                                                                            Pragma: no-cache
                                                                                                            Expires: -1
                                                                                                            Cache-Control: no-cache, must-revalidate
                                                                                                            Content-Type: text/javascript; charset=UTF-8
                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                            Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-i46__TY9HyyZSarKxDw87A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1
                                                                                                            Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                                            Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]}
                                                                                                            Accept-CH: Sec-CH-UA-Platform
                                                                                                            Accept-CH: Sec-CH-UA-Platform-Version
                                                                                                            Accept-CH: Sec-CH-UA-Full-Version
                                                                                                            Accept-CH: Sec-CH-UA-Arch
                                                                                                            Accept-CH: Sec-CH-UA-Model
                                                                                                            Accept-CH: Sec-CH-UA-Bitness
                                                                                                            Accept-CH: Sec-CH-UA-Full-Version-List
                                                                                                            Accept-CH: Sec-CH-UA-WoW64
                                                                                                            Permissions-Policy: unload=()
                                                                                                            Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                                                            Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                                                            Content-Disposition: attachment; filename="f.txt"
                                                                                                            Server: gws
                                                                                                            X-XSS-Protection: 0
                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                            Accept-Ranges: none
                                                                                                            Vary: Accept-Encoding
                                                                                                            Connection: close
                                                                                                            Transfer-Encoding: chunked
                                                                                                            2024-05-01 13:47:02 UTC798INData Raw: 33 31 37 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 63 6f 6c 6f 72 61 64 6f 20 61 76 61 6c 61 6e 63 68 65 20 77 69 6e 6e 69 70 65 67 20 6a 65 74 73 22 2c 22 61 66 66 6f 72 64 61 62 6c 65 20 69 6e 74 65 72 6e 65 74 22 2c 22 74 6f 64 61 79 20 77 6f 72 64 6c 65 20 61 6e 73 77 65 72 22 2c 22 64 61 76 65 20 61 6e 64 20 62 75 73 74 65 72 73 20 62 65 74 74 69 6e 67 20 61 72 63 61 64 65 20 67 61 6d 65 73 22 2c 22 67 72 61 79 20 7a 6f 6e 65 20 77 61 72 66 61 72 65 20 74 61 72 6b 6f 76 22 2c 22 6e 79 74 20 73 74 72 61 6e 64 73 20 61 6e 73 77 65 72 73 22 2c 22 62 6f 6c 69 6e 67 62 72 6f 6f 6b 20 67 6f 6c 66 20 63 6c 75 62 20 6c 69 76 20 67 6f 6c 66 22 2c 22 79 6f 75 74 68 66 6f 72 69 61 20 66 6f 75 6e 64 61 74 69 6f 6e 20 73 68 61 64 65 73 22 5d 2c 5b 22 22 2c 22 22 2c
                                                                                                            Data Ascii: 317)]}'["",["colorado avalanche winnipeg jets","affordable internet","today wordle answer","dave and busters betting arcade games","gray zone warfare tarkov","nyt strands answers","bolingbrook golf club liv golf","youthforia foundation shades"],["","",
                                                                                                            2024-05-01 13:47:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.44973864.233.180.994437588C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-05-01 13:47:02 UTC353OUTGET /async/ddljson?async=ntp:2 HTTP/1.1
                                                                                                            Host: www.google.com
                                                                                                            Connection: keep-alive
                                                                                                            Sec-Fetch-Site: none
                                                                                                            Sec-Fetch-Mode: no-cors
                                                                                                            Sec-Fetch-Dest: empty
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.44973964.233.180.994437588C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-05-01 13:47:02 UTC518OUTGET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1
                                                                                                            Host: www.google.com
                                                                                                            Connection: keep-alive
                                                                                                            X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=
                                                                                                            Sec-Fetch-Site: cross-site
                                                                                                            Sec-Fetch-Mode: no-cors
                                                                                                            Sec-Fetch-Dest: empty
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            2024-05-01 13:47:02 UTC1479INHTTP/1.1 200 OK
                                                                                                            Version: 628208705
                                                                                                            Content-Type: application/json; charset=UTF-8
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                            Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                                            Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                                                            Accept-CH: Sec-CH-UA-Platform
                                                                                                            Accept-CH: Sec-CH-UA-Platform-Version
                                                                                                            Accept-CH: Sec-CH-UA-Full-Version
                                                                                                            Accept-CH: Sec-CH-UA-Arch
                                                                                                            Accept-CH: Sec-CH-UA-Model
                                                                                                            Accept-CH: Sec-CH-UA-Bitness
                                                                                                            Accept-CH: Sec-CH-UA-Full-Version-List
                                                                                                            Accept-CH: Sec-CH-UA-WoW64
                                                                                                            Permissions-Policy: unload=()
                                                                                                            Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                                                            Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                                                            Content-Disposition: attachment; filename="f.txt"
                                                                                                            Date: Wed, 01 May 2024 13:47:02 GMT
                                                                                                            Server: gws
                                                                                                            Cache-Control: private
                                                                                                            X-XSS-Protection: 0
                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                            Accept-Ranges: none
                                                                                                            Vary: Accept-Encoding
                                                                                                            Connection: close
                                                                                                            Transfer-Encoding: chunked
                                                                                                            2024-05-01 13:47:02 UTC1479INData Raw: 31 61 34 39 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 65 6e 2d 55 53 22 2c 22 6f 67 62 22 3a 7b 22 68 74 6d 6c 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 68 74 6d 6c 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 5c 75 30 30 33 63 68 65 61 64 65 72 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 52 61 20 67 62 5f 69 62 20 67 62 5f 55 64 20 67 62 5f 6f 64 5c 22 20 69 64 5c 75 30 30 33 64 5c 22 67 62 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 61 6e 6e 65 72 5c 22 20 73 74 79 6c 65 5c 75 30 30 33 64 5c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 5c 22 5c 75 30 30 33 65
                                                                                                            Data Ascii: 1a49)]}'{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ra gb_ib gb_Ud gb_od\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e
                                                                                                            2024-05-01 13:47:02 UTC1479INData Raw: 30 33 64 5c 22 67 62 5f 4a 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 61 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 39 64 20 67 62 5f 4b 63 20 67 62 5f 37 64 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 47 6f 6f 67 6c 65 5c 22 20 68 72 65 66 5c 75 30 30 33 64 5c 22 2f 3f 74 61 62 5c 75 30 30 33 64 72 72 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4f 63 20 67 62 5f 36 64 5c 22 20 61 72 69 61 2d 68 69 64 64 65 6e 5c 75 30 30 33 64 5c 22 74 72 75 65 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 70 72 65 73 65 6e 74 61 74 69 6f 6e 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 61 5c 75 30 30 33 65 5c 75 30 30 33 63 5c
                                                                                                            Data Ascii: 03d\"gb_Jc\"\u003e\u003ca class\u003d\"gb_9d gb_Kc gb_7d\" aria-label\u003d\"Google\" href\u003d\"/?tab\u003drr\"\u003e\u003cspan class\u003d\"gb_Oc gb_6d\" aria-hidden\u003d\"true\" role\u003d\"presentation\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\
                                                                                                            2024-05-01 13:47:02 UTC1479INData Raw: 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 53 65 61 72 63 68 20 4c 61 62 73 5c 22 20 68 72 65 66 5c 75 30 30 33 64 5c 22 68 74 74 70 73 3a 2f 2f 6c 61 62 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 61 72 63 68 3f 73 6f 75 72 63 65 5c 75 30 30 33 64 6e 74 70 5c 22 20 74 61 72 67 65 74 5c 75 30 30 33 64 5c 22 5f 74 6f 70 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 73 76 67 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 67 5c 22 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 68 65 69 67 68 74 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 20 76 69 65 77 42 6f 78 5c 75 30 30 33 64 5c 22 30 20
                                                                                                            Data Ascii: aria-label\u003d\"Search Labs\" href\u003d\"https://labs.google.com/search?source\u003dntp\" target\u003d\"_top\" role\u003d\"button\" tabindex\u003d\"0\"\u003e \u003csvg class\u003d\"gb_g\" focusable\u003d\"false\" height\u003d\"24px\" viewBox\u003d\"0
                                                                                                            2024-05-01 13:47:02 UTC1479INData Raw: 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 36 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 32 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 36 2c 36 63 30 2c 31 2e 31 20 30 2e 39 2c 32 20 32 2c 32 73 32 2c 2d 30 2e 39 20 32 2c 2d 32 20 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 7a 4d 31 32 2c 38 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32
                                                                                                            Data Ascii: 9 -2,2 0.9,2 2,2zM6,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM12,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM16,6c0,1.1 0.9,2 2,2s2,-0.9 2,-2 -0.9,-2 -2,-2 -2,0.9 -2,2zM12,8c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2
                                                                                                            2024-05-01 13:47:02 UTC821INData Raw: 75 2d 63 6f 6e 74 65 6e 74 22 2c 22 6d 65 74 61 64 61 74 61 22 3a 7b 22 62 61 72 5f 68 65 69 67 68 74 22 3a 36 30 2c 22 65 78 70 65 72 69 6d 65 6e 74 5f 69 64 22 3a 5b 31 33 30 30 31 30 32 2c 33 37 30 30 32 36 31 2c 33 37 30 31 33 31 30 5d 2c 22 69 73 5f 62 61 63 6b 75 70 5f 62 61 72 22 3a 66 61 6c 73 65 7d 2c 22 70 61 67 65 5f 68 6f 6f 6b 73 22 3a 7b 22 61 66 74 65 72 5f 62 61 72 5f 73 63 72 69 70 74 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 73 63 72 69 70 74 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 74 68 69 73 2e 67 62 61 72 5f 5c 75 30 30 33 64 74 68 69 73 2e 67 62 61 72 5f 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 5c 75 30 30
                                                                                                            Data Ascii: u-content","metadata":{"bar_height":60,"experiment_id":[1300102,3700261,3701310],"is_backup_bar":false},"page_hooks":{"after_bar_script":{"private_do_not_access_or_else_safe_script_wrapped_value":"this.gbar_\u003dthis.gbar_||{};(function(_){var window\u00
                                                                                                            2024-05-01 13:47:02 UTC413INData Raw: 31 39 36 0d 0a 7b 7d 3b 5f 2e 71 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 5c 22 74 65 73 74 5c 22 2c 63 2c 62 29 3b 5f 2e 71 2e 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 5c 22 74 65 73 74 5c 22 2c 63 2c 62 29 7d 63 61 74 63 68 28 63 29 7b 7d 72 65 74 75 72 6e 20 61 7d 28 29 3b 5c 6e 7d 63 61 74 63 68 28 65 29 7b 5f 2e 5f 44 75 6d 70 45 78 63 65 70 74 69 6f 6e 28 65 29 7d 5c 6e 74 72 79 7b 5c 6e 76 61 72 20 6d 64 5c 75 30 30 33 64 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 5c 22 2e 67 62 5f 6b 20 2e 67 62 5f 64 5c 22 29 2c 6e 64 5c 75 30 30 33 64 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 5c 22 23 67 62 2e 67 62 5f 5a 63 5c 22 29 3b 6d 64 5c 75 30 30 32 36 5c 75 30 30 32 36
                                                                                                            Data Ascii: 196{};_.q.addEventListener(\"test\",c,b);_.q.removeEventListener(\"test\",c,b)}catch(c){}return a}();\n}catch(e){_._DumpException(e)}\ntry{\nvar md\u003ddocument.querySelector(\".gb_k .gb_d\"),nd\u003ddocument.querySelector(\"#gb.gb_Zc\");md\u0026\u0026
                                                                                                            2024-05-01 13:47:02 UTC1255INData Raw: 38 30 30 30 0d 0a 62 5c 75 30 30 32 36 5c 75 30 30 32 36 6e 75 6c 6c 21 5c 75 30 30 33 64 61 7c 7c 5c 22 66 75 6e 63 74 69 6f 6e 5c 22 5c 75 30 30 33 64 5c 75 30 30 33 64 62 7d 3b 5f 2e 70 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 69 66 28 76 6f 69 64 20 30 21 5c 75 30 30 33 64 5c 75 30 30 33 64 61 2e 69 7c 7c 76 6f 69 64 20 30 21 5c 75 30 30 33 64 5c 75 30 30 33 64 61 2e 6a 29 74 68 72 6f 77 20 45 72 72 6f 72 28 5c 22 41 5c 22 29 3b 61 2e 6a 5c 75 30 30 33 64 62 3b 5f 2e 4c 63 28 61 29 7d 3b 5f 2e 71 64 5c 75 30 30 33 64 63 6c 61 73 73 20 65 78 74 65 6e 64 73 20 5f 2e 51 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 61 29 7b 73 75 70 65 72 28 61 29 7d 7d 3b 72 64 5c 75 30 30 33 64 63 6c 61 73 73 20 65 78 74 65 6e 64 73 20 5f 2e 5a 63 7b 7d
                                                                                                            Data Ascii: 8000b\u0026\u0026null!\u003da||\"function\"\u003d\u003db};_.pd\u003dfunction(a,b){if(void 0!\u003d\u003da.i||void 0!\u003d\u003da.j)throw Error(\"A\");a.j\u003db;_.Lc(a)};_.qd\u003dclass extends _.Q{constructor(a){super(a)}};rd\u003dclass extends _.Zc{}
                                                                                                            2024-05-01 13:47:02 UTC1255INData Raw: 6e 63 65 6f 66 20 5f 2e 77 64 3f 5f 2e 78 64 28 61 29 3a 5f 2e 44 64 28 61 29 7d 3b 5f 2e 46 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 5c 75 30 30 33 64 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 73 6c 69 63 65 2e 63 61 6c 6c 28 61 72 67 75 6d 65 6e 74 73 2c 31 29 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 64 5c 75 30 30 33 64 63 2e 73 6c 69 63 65 28 29 3b 64 2e 70 75 73 68 2e 61 70 70 6c 79 28 64 2c 61 72 67 75 6d 65 6e 74 73 29 3b 72 65 74 75 72 6e 20 61 2e 61 70 70 6c 79 28 74 68 69 73 2c 64 29 7d 7d 3b 5f 2e 47 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 72 65 74 75 72 6e 20 76 6f 69 64 20 30 21 5c 75 30 30 33 64 5c 75 30 30 33 64 5f 2e 69 62 28 61 2c 62 2c 63
                                                                                                            Data Ascii: nceof _.wd?_.xd(a):_.Dd(a)};_.Fd\u003dfunction(a,b){var c\u003dArray.prototype.slice.call(arguments,1);return function(){var d\u003dc.slice();d.push.apply(d,arguments);return a.apply(this,d)}};_.Gd\u003dfunction(a,b,c){return void 0!\u003d\u003d_.ib(a,b,c
                                                                                                            2024-05-01 13:47:02 UTC1255INData Raw: 2b 5c 22 5c 22 7d 7d 3b 5f 2e 52 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 51 64 5c 75 30 30 32 36 5c 75 30 30 32 36 61 2e 63 6f 6e 73 74 72 75 63 74 6f 72 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5f 2e 51 64 3f 61 2e 69 3a 5c 22 74 79 70 65 5f 65 72 72 6f 72 3a 54 72 75 73 74 65 64 52 65 73 6f 75 72 63 65 55 72 6c 5c 22 7d 3b 53 64 5c 75 30 30 33 64 7b 7d 3b 5f 2e 54 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 63 6f 6e 73 74 20 62 5c 75 30 30 33 64 5f 2e 50 64 28 29 3b 61 5c 75 30 30 33 64 62 3f 62 2e 63 72 65 61 74 65 53 63 72 69 70 74 55 52 4c 28 61 29 3a 61 3b 72 65 74 75 72 6e 20 6e 65 77 20 5f 2e 51 64 28 61 2c 53 64 29 7d 3b 5f 2e 77 64 5c 75
                                                                                                            Data Ascii: +\"\"}};_.Rd\u003dfunction(a){return a instanceof _.Qd\u0026\u0026a.constructor\u003d\u003d\u003d_.Qd?a.i:\"type_error:TrustedResourceUrl\"};Sd\u003d{};_.Td\u003dfunction(a){const b\u003d_.Pd();a\u003db?b.createScriptURL(a):a;return new _.Qd(a,Sd)};_.wd\u
                                                                                                            2024-05-01 13:47:02 UTC1255INData Raw: 6f 66 20 5f 2e 62 65 5c 75 30 30 32 36 5c 75 30 30 32 36 61 2e 63 6f 6e 73 74 72 75 63 74 6f 72 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5f 2e 62 65 3f 61 2e 69 3a 5c 22 74 79 70 65 5f 65 72 72 6f 72 3a 53 61 66 65 48 74 6d 6c 5c 22 7d 3b 5f 2e 64 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 63 6f 6e 73 74 20 62 5c 75 30 30 33 64 5f 2e 50 64 28 29 3b 61 5c 75 30 30 33 64 62 3f 62 2e 63 72 65 61 74 65 48 54 4d 4c 28 61 29 3a 61 3b 72 65 74 75 72 6e 20 6e 65 77 20 5f 2e 62 65 28 61 2c 61 65 29 7d 3b 5f 2e 62 65 5c 75 30 30 33 64 63 6c 61 73 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 61 29 7b 74 68 69 73 2e 69 5c 75 30 30 33 64 61 7d 74 6f 53 74 72 69 6e 67 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 69 2e 74 6f 53 74 72 69 6e 67 28
                                                                                                            Data Ascii: of _.be\u0026\u0026a.constructor\u003d\u003d\u003d_.be?a.i:\"type_error:SafeHtml\"};_.de\u003dfunction(a){const b\u003d_.Pd();a\u003db?b.createHTML(a):a;return new _.be(a,ae)};_.be\u003dclass{constructor(a){this.i\u003da}toString(){return this.i.toString(


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.44974064.233.180.994437588C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-05-01 13:47:02 UTC353OUTGET /async/newtab_promos HTTP/1.1
                                                                                                            Host: www.google.com
                                                                                                            Connection: keep-alive
                                                                                                            Sec-Fetch-Site: cross-site
                                                                                                            Sec-Fetch-Mode: no-cors
                                                                                                            Sec-Fetch-Dest: empty
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            2024-05-01 13:47:02 UTC1434INHTTP/1.1 200 OK
                                                                                                            Version: 628208705
                                                                                                            Content-Type: application/json; charset=UTF-8
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                                            Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                                                            Accept-CH: Sec-CH-UA-Platform
                                                                                                            Accept-CH: Sec-CH-UA-Platform-Version
                                                                                                            Accept-CH: Sec-CH-UA-Full-Version
                                                                                                            Accept-CH: Sec-CH-UA-Arch
                                                                                                            Accept-CH: Sec-CH-UA-Model
                                                                                                            Accept-CH: Sec-CH-UA-Bitness
                                                                                                            Accept-CH: Sec-CH-UA-Full-Version-List
                                                                                                            Accept-CH: Sec-CH-UA-WoW64
                                                                                                            Permissions-Policy: unload=()
                                                                                                            Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                                                            Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                                                            Content-Disposition: attachment; filename="f.txt"
                                                                                                            Date: Wed, 01 May 2024 13:47:02 GMT
                                                                                                            Server: gws
                                                                                                            Cache-Control: private
                                                                                                            X-XSS-Protection: 0
                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                            Accept-Ranges: none
                                                                                                            Vary: Accept-Encoding
                                                                                                            Connection: close
                                                                                                            Transfer-Encoding: chunked
                                                                                                            2024-05-01 13:47:02 UTC35INData Raw: 31 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 70 72 6f 6d 6f 73 22 3a 7b 7d 7d 7d 0d 0a
                                                                                                            Data Ascii: 1d)]}'{"update":{"promos":{}}}
                                                                                                            2024-05-01 13:47:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.44975023.209.58.93443
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-05-01 13:47:08 UTC161OUTHEAD /fs/windows/config.json HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: identity
                                                                                                            User-Agent: Microsoft BITS/7.8
                                                                                                            Host: fs.microsoft.com
                                                                                                            2024-05-01 13:47:08 UTC467INHTTP/1.1 200 OK
                                                                                                            Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                                                                            Content-Type: application/octet-stream
                                                                                                            ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                                                                            Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                                                                            Server: ECAcc (chd/079C)
                                                                                                            X-CID: 11
                                                                                                            X-Ms-ApiVersion: Distribute 1.2
                                                                                                            X-Ms-Region: prod-eus-z1
                                                                                                            Cache-Control: public, max-age=148640
                                                                                                            Date: Wed, 01 May 2024 13:47:08 GMT
                                                                                                            Connection: close
                                                                                                            X-CID: 2


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            5192.168.2.44975123.209.58.93443
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-05-01 13:47:09 UTC239OUTGET /fs/windows/config.json HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: identity
                                                                                                            If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT
                                                                                                            Range: bytes=0-2147483646
                                                                                                            User-Agent: Microsoft BITS/7.8
                                                                                                            Host: fs.microsoft.com
                                                                                                            2024-05-01 13:47:09 UTC774INHTTP/1.1 200 OK
                                                                                                            Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                                                                            ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                                                                            ApiVersion: Distribute 1.1
                                                                                                            Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                                                                            X-CID: 7
                                                                                                            X-CCC: US
                                                                                                            X-Azure-Ref-OriginShield: Ref A: 8BFC17DD061B46CAAD2B2AEB7B19C3D8 Ref B: CH1AA2040901011 Ref C: 2023-07-21T06:04:00Z
                                                                                                            X-MSEdge-Ref: Ref A: 1421F39FA7224BE199CC2F2C3DD24574 Ref B: CHI30EDGE0415 Ref C: 2023-07-21T06:04:00Z
                                                                                                            Content-Type: application/octet-stream
                                                                                                            X-Azure-Ref: 0DMGnYgAAAACXaXykPZuVRq4aV6pCkeO8U0pDRURHRTAzMTgAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm
                                                                                                            Cache-Control: public, max-age=148562
                                                                                                            Date: Wed, 01 May 2024 13:47:09 GMT
                                                                                                            Content-Length: 55
                                                                                                            Connection: close
                                                                                                            X-CID: 2
                                                                                                            2024-05-01 13:47:09 UTC55INData Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d
                                                                                                            Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            6192.168.2.44975220.12.23.50443
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-05-01 13:47:15 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=zC4Eb3mDpgwO3dy&MD=LPFEY77X HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Accept: */*
                                                                                                            User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                                                            Host: slscr.update.microsoft.com
                                                                                                            2024-05-01 13:47:15 UTC560INHTTP/1.1 200 OK
                                                                                                            Cache-Control: no-cache
                                                                                                            Pragma: no-cache
                                                                                                            Content-Type: application/octet-stream
                                                                                                            Expires: -1
                                                                                                            Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                                                            ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                                                                            MS-CorrelationId: 6dd340ee-3e0b-4357-a233-356ac3f9c8e3
                                                                                                            MS-RequestId: 9ab0134c-d7b2-4749-801f-ca42844bf0dd
                                                                                                            MS-CV: s3eIeg9jikeekaRb.0
                                                                                                            X-Microsoft-SLSClientCache: 2880
                                                                                                            Content-Disposition: attachment; filename=environment.cab
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            Date: Wed, 01 May 2024 13:47:14 GMT
                                                                                                            Connection: close
                                                                                                            Content-Length: 24490
                                                                                                            2024-05-01 13:47:15 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                                                                            Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                                                                            2024-05-01 13:47:15 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                                                                            Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            7192.168.2.44975820.12.23.50443
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-05-01 13:47:55 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=zC4Eb3mDpgwO3dy&MD=LPFEY77X HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Accept: */*
                                                                                                            User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                                                            Host: slscr.update.microsoft.com
                                                                                                            2024-05-01 13:47:56 UTC560INHTTP/1.1 200 OK
                                                                                                            Cache-Control: no-cache
                                                                                                            Pragma: no-cache
                                                                                                            Content-Type: application/octet-stream
                                                                                                            Expires: -1
                                                                                                            Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                                                            ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160"
                                                                                                            MS-CorrelationId: f8ee8e6e-8525-4385-8768-91c72c2a2fd4
                                                                                                            MS-RequestId: ccf01076-7023-4e90-ad3f-11d81d6dd069
                                                                                                            MS-CV: LeV/zaV9m0mMvAPN.0
                                                                                                            X-Microsoft-SLSClientCache: 2160
                                                                                                            Content-Disposition: attachment; filename=environment.cab
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            Date: Wed, 01 May 2024 13:47:55 GMT
                                                                                                            Connection: close
                                                                                                            Content-Length: 25457
                                                                                                            2024-05-01 13:47:56 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92
                                                                                                            Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
                                                                                                            2024-05-01 13:47:56 UTC9633INData Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a
                                                                                                            Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:15:46:55
                                                                                                            Start date:01/05/2024
                                                                                                            Path:C:\Users\user\Desktop\BCb8yQ0fg8.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\BCb8yQ0fg8.exe"
                                                                                                            Imagebase:0x6d0000
                                                                                                            File size:944'280 bytes
                                                                                                            MD5 hash:807675A50EE7545E02DAEAC9822842B7
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:1
                                                                                                            Start time:15:46:55
                                                                                                            Start date:01/05/2024
                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                                            Imagebase:0x240000
                                                                                                            File size:236'544 bytes
                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.1896600750.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.1896600750.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:2
                                                                                                            Start time:15:46:55
                                                                                                            Start date:01/05/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:3
                                                                                                            Start time:15:47:00
                                                                                                            Start date:01/05/2024
                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://473750571567004317064230583514468350804565684324378075159610742091604698238217701484029465762430135913242023857750034401559054060945654540273638867228794983640833862748912121851334807031249099092790952130035074227943842970399582505875/
                                                                                                            Imagebase:0x7ff76e190000
                                                                                                            File size:3'242'272 bytes
                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:5
                                                                                                            Start time:15:47:00
                                                                                                            Start date:01/05/2024
                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1800,i,5224496107934403145,5816890975472559302,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                            Imagebase:0x7ff76e190000
                                                                                                            File size:3'242'272 bytes
                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:7
                                                                                                            Start time:15:47:17
                                                                                                            Start date:01/05/2024
                                                                                                            Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                            Imagebase:0x180000
                                                                                                            File size:4'514'184 bytes
                                                                                                            MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000007.00000002.1896414307.0000000000791000.00000080.00000001.01000000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000007.00000002.1896414307.0000000000791000.00000080.00000001.01000000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:moderate
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:6.6%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:9.3%
                                                                                                              Total number of Nodes:1308
                                                                                                              Total number of Limit Nodes:18
                                                                                                              execution_graph 7654 6d9c6b 7655 6d9c70 7654->7655 7660 6da2f0 7655->7660 7657 6d9d35 7658 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7657->7658 7659 6d9d4b 7658->7659 7661 6da334 7660->7661 7677 6db250 7661->7677 7663 6da857 7664 6d1490 4 API calls 7663->7664 7670 6da85c 7664->7670 7665 6d4cf0 2 API calls 7673 6da43d std::ios_base::_Ios_base_dtor _Yarn 7665->7673 7666 6da679 std::ios_base::_Ios_base_dtor 7667 6da82f std::ios_base::_Ios_base_dtor 7666->7667 7668 6da829 _invalid_parameter_noinfo_noreturn 7666->7668 7671 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7667->7671 7668->7667 7669 6da904 strcspn localeconv strcspn 7674 6da94e 7669->7674 7670->7669 7672 6da853 7671->7672 7672->7657 7673->7663 7673->7665 7673->7666 7673->7668 7673->7670 7675 6db250 39 API calls 7674->7675 7676 6daa03 7675->7676 7676->7657 7708 6df5f9 7677->7708 7680 6df5f9 std::_Lockit::_Lockit 2 API calls 7681 6db2a5 7680->7681 7713 6df651 7681->7713 7682 6df651 std::_Lockit::~_Lockit 2 API calls 7684 6db358 7682->7684 7683 6db2c5 7686 6db312 7683->7686 7718 6db4e0 7683->7718 7684->7673 7686->7682 7689 6db36c 7745 6d1a70 7689->7745 7690 6db326 7742 6df9a2 7690->7742 7694 6db4d2 7695 6d1490 4 API calls 7694->7695 7697 6db4d7 7695->7697 7696 6db3a5 7698 6db406 7696->7698 7699 6db413 7696->7699 7701 6db3ba 7696->7701 7700 6d13f0 Concurrency::cancel_current_task 4 API calls 7697->7700 7698->7697 7698->7701 7704 6e006e std::_Facet_Register 6 API calls 7699->7704 7706 6db3ca _Yarn 7699->7706 7703 6db4dc 7700->7703 7702 6e006e std::_Facet_Register 6 API calls 7701->7702 7702->7706 7704->7706 7705 6db4a3 _invalid_parameter_noinfo_noreturn 7707 6db48a std::ios_base::_Ios_base_dtor _Yarn 7705->7707 7706->7705 7706->7707 7707->7673 7709 6df60f 7708->7709 7710 6df608 _lock_locales 7708->7710 7711 6db282 7709->7711 7751 6dff62 EnterCriticalSection 7709->7751 7710->7711 7711->7680 7711->7683 7714 6df65b 7713->7714 7715 6e2ff9 _unlock_locales 7713->7715 7716 6df66e 7714->7716 7752 6dff70 LeaveCriticalSection 7714->7752 7716->7683 7719 6db6b1 7718->7719 7721 6db535 7718->7721 7720 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7719->7720 7722 6db321 7720->7722 7721->7719 7723 6e006e std::_Facet_Register 6 API calls 7721->7723 7722->7689 7722->7690 7724 6db545 7723->7724 7753 6d1b00 7724->7753 7729 6dfe0c 4 API calls 7730 6db5f2 calloc 7729->7730 7731 6db6d4 7730->7731 7736 6db60a 7730->7736 7794 6df7bd 7731->7794 7767 6df443 7736->7767 7738 6db665 7739 6df443 3 API calls 7738->7739 7740 6db699 7739->7740 7777 6d1bb0 7740->7777 7743 6e006e std::_Facet_Register 6 API calls 7742->7743 7744 6df9ad 7743->7744 7744->7686 7746 6d1a7e Concurrency::cancel_current_task 7745->7746 7747 6e12ec CallUnexpected RaiseException 7746->7747 7748 6d1a8c 7747->7748 7749 6e1245 ___std_exception_copy 3 API calls 7748->7749 7750 6d1ab3 7749->7750 7750->7694 7750->7696 7751->7711 7752->7716 7754 6df5f9 std::_Lockit::_Lockit 2 API calls 7753->7754 7755 6d1b30 7754->7755 7756 6d1b78 7755->7756 7757 6d1b96 7755->7757 7802 6dfad4 setlocale 7756->7802 7810 6df83a 7757->7810 7762 6dfe0c 7824 6e18f0 7762->7824 7765 6dfe47 __pctype_func 7766 6db5a8 7765->7766 7766->7729 7768 6df44d 7767->7768 7770 6df451 7767->7770 7768->7738 7769 6df53d MultiByteToWideChar 7773 6df554 _errno 7769->7773 7774 6df45b 7769->7774 7770->7769 7771 6df48d 7770->7771 7772 6df4fa 7770->7772 7770->7774 7771->7769 7776 6df497 7771->7776 7772->7774 7775 6df523 MultiByteToWideChar 7772->7775 7773->7774 7774->7738 7775->7773 7775->7774 7776->7773 7776->7774 7826 6dfb1f 7777->7826 7780 6d1bef 7782 6d1bfd free 7780->7782 7783 6d1c07 7780->7783 7781 6d1be5 free 7781->7780 7782->7783 7784 6d1c1f 7783->7784 7785 6d1c15 free 7783->7785 7786 6d1c2d free 7784->7786 7787 6d1c37 7784->7787 7785->7784 7786->7787 7788 6d1c4f 7787->7788 7789 6d1c45 free 7787->7789 7790 6d1c5d free 7788->7790 7791 6d1c67 7788->7791 7789->7788 7790->7791 7792 6df651 std::_Lockit::~_Lockit 2 API calls 7791->7792 7793 6d1c75 7792->7793 7793->7719 7795 6df7cb Concurrency::cancel_current_task 7794->7795 7796 6e12ec CallUnexpected RaiseException 7795->7796 7797 6df7d9 7796->7797 7829 6df6ab 7797->7829 7800 6e12ec CallUnexpected RaiseException 7801 6df7f9 7800->7801 7803 6dfae6 7802->7803 7815 6df91e 7803->7815 7805 6dfaf8 7806 6dfafe setlocale 7805->7806 7807 6dfb0e 7805->7807 7806->7807 7808 6df91e _Yarn 2 API calls 7807->7808 7809 6d1b7f localeconv 7808->7809 7809->7762 7821 6df76a 7810->7821 7813 6e12ec CallUnexpected RaiseException 7814 6df859 7813->7814 7816 6df92c 7815->7816 7817 6df95e _Yarn 7815->7817 7818 6df931 free 7816->7818 7820 6df939 7816->7820 7817->7805 7818->7820 7819 6df94e malloc 7819->7817 7820->7817 7820->7819 7820->7820 7822 6d1300 std::invalid_argument::invalid_argument 3 API calls 7821->7822 7823 6df77c 7822->7823 7823->7813 7825 6dfe1f ___lc_codepage_func ___mb_cur_max_func ___lc_locale_name_func 7824->7825 7825->7765 7825->7766 7827 6dfb2b setlocale 7826->7827 7828 6d1bdb 7826->7828 7827->7828 7828->7780 7828->7781 7830 6d1300 std::invalid_argument::invalid_argument 3 API calls 7829->7830 7831 6df6bd 7830->7831 7831->7800 8559 6e2768 8560 6e1c8c __InternalCxxFrameHandler 13 API calls 8559->8560 8561 6e2770 __FrameHandler3::FrameUnwindToState 8560->8561 8562 6e2942 __FrameHandler3::FrameUnwindToState 14 API calls 8561->8562 8563 6e27ec 8562->8563 8564 6e2825 __InternalCxxFrameHandler 20 API calls 8563->8564 8565 6e280d 8564->8565 7832 6d2060 7833 6d207e free 7832->7833 7834 6d2072 free 7832->7834 7835 6d2096 std::ios_base::_Ios_base_dtor 7833->7835 7834->7833 8569 6e4360 DeleteCriticalSection 8570 6e1f7f abort 8571 6e1f88 8570->8571 8572 6e1fa7 8571->8572 8573 6e1eef __InternalCxxFrameHandler abort 8571->8573 8580 6e0eb3 RtlUnwind 8572->8580 8573->8572 8575 6e1fbc 8576 6e2942 __FrameHandler3::FrameUnwindToState 14 API calls 8575->8576 8577 6e1fcd __FrameHandler3::FrameUnwindToState 8576->8577 8578 6e26d2 __InternalCxxFrameHandler 20 API calls 8577->8578 8579 6e1ff5 __InternalCxxFrameHandler 8578->8579 8580->8575 8584 6dff7e 8587 6dffbe 8584->8587 8585 6dffa3 DecodePointer 8585->8587 8586 6dffd3 8587->8585 8587->8586 7843 6d9c70 7844 6d9cd1 7843->7844 7845 6da2f0 45 API calls 7844->7845 7846 6d9d35 7845->7846 7847 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7846->7847 7848 6d9d4b 7847->7848 8017 6d1170 8020 6d117b std::ios_base::_Ios_base_dtor 8017->8020 8018 6d1235 std::ios_base::_Ios_base_dtor 8019 6d1257 _invalid_parameter_noinfo_noreturn 8020->8018 8020->8019 8021 6d1970 8022 6d197d 8021->8022 8025 6d19dd 8021->8025 8023 6d53e0 6 API calls 8022->8023 8024 6d19a4 8023->8024 8404 6d1e70 8405 6d1e7f 8404->8405 8407 6d1e9a 8404->8407 8405->8407 8408 6dfedb 8405->8408 8409 6dfef1 8408->8409 8411 6dff05 8408->8411 8410 6e0015 ___crtLCMapStringW 2 API calls 8409->8410 8409->8411 8410->8411 8411->8405 7849 6e1c70 7850 6e1c7a 7849->7850 7851 6e1c88 7849->7851 7850->7851 7852 6e1c81 free 7850->7852 7852->7851 8026 6e2571 8027 6e257f ___except_validate_context_record 8026->8027 8028 6e1c8c __InternalCxxFrameHandler 13 API calls 8027->8028 8029 6e2585 8028->8029 8030 6e25c4 8029->8030 8033 6e25ea 8029->8033 8034 6e25e2 8029->8034 8030->8034 8035 6e292a 8030->8035 8033->8034 8038 6e2008 8033->8038 8088 6e2942 8035->8088 8037 6e293d 8037->8034 8040 6e2028 __FrameHandler3::FrameUnwindToState 8038->8040 8039 6e23a7 abort 8040->8039 8042 6e210a 8040->8042 8043 6e1c8c __InternalCxxFrameHandler 13 API calls 8040->8043 8041 6e2310 8041->8039 8062 6e230e 8041->8062 8118 6e23ad 8041->8118 8042->8041 8044 6e2193 8042->8044 8086 6e2110 type_info::operator== 8042->8086 8046 6e208a 8043->8046 8052 6e22aa __InternalCxxFrameHandler 8044->8052 8104 6e0cc0 8044->8104 8045 6e1c8c __InternalCxxFrameHandler 13 API calls 8048 6e233b 8045->8048 8049 6e2341 8046->8049 8051 6e1c8c __InternalCxxFrameHandler 13 API calls 8046->8051 8048->8039 8048->8049 8049->8034 8053 6e2098 8051->8053 8054 6e22da 8052->8054 8055 6e22ff 8052->8055 8056 6e22e4 8052->8056 8052->8062 8057 6e1c8c __InternalCxxFrameHandler 13 API calls 8053->8057 8054->8056 8054->8062 8058 6e2a2a __InternalCxxFrameHandler abort 8055->8058 8059 6e1c8c __InternalCxxFrameHandler 13 API calls 8056->8059 8065 6e20a0 8057->8065 8060 6e2308 8058->8060 8061 6e22ef 8059->8061 8060->8062 8063 6e236b 8060->8063 8064 6e1c8c __InternalCxxFrameHandler 13 API calls 8061->8064 8062->8045 8067 6e1c8c __InternalCxxFrameHandler 13 API calls 8063->8067 8064->8086 8065->8039 8066 6e1c8c __InternalCxxFrameHandler 13 API calls 8065->8066 8069 6e20e9 8066->8069 8070 6e2370 8067->8070 8068 6e2346 terminate 8076 6e234b __InternalCxxFrameHandler 8068->8076 8069->8042 8072 6e1c8c __InternalCxxFrameHandler 13 API calls 8069->8072 8071 6e1c8c __InternalCxxFrameHandler 13 API calls 8070->8071 8073 6e2378 8071->8073 8075 6e20f3 8072->8075 8133 6e0eb3 RtlUnwind 8073->8133 8074 6e21b4 ___TypeMatch 8074->8052 8108 6e1f88 8074->8108 8077 6e1c8c __InternalCxxFrameHandler 13 API calls 8075->8077 8082 6e12ec CallUnexpected RaiseException 8076->8082 8080 6e20fe 8077->8080 8101 6e2a2a 8080->8101 8081 6e238c 8084 6e292a __InternalCxxFrameHandler 14 API calls 8081->8084 8082->8063 8085 6e2398 __InternalCxxFrameHandler 8084->8085 8134 6e28a1 8085->8134 8086->8068 8086->8076 8089 6e294e ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState 8088->8089 8090 6e1c8c __InternalCxxFrameHandler 13 API calls 8089->8090 8091 6e2969 __CallSettingFrame@12 __FrameHandler3::FrameUnwindToState 8090->8091 8092 6e2a24 abort 8091->8092 8096 6e2a10 8091->8096 8095 6e29ee __FrameHandler3::FrameUnwindToState 8095->8037 8097 6e1c8c __InternalCxxFrameHandler 13 API calls 8096->8097 8098 6e2a15 8097->8098 8099 6e29e9 8098->8099 8100 6e1c8c __InternalCxxFrameHandler 13 API calls 8098->8100 8099->8092 8099->8095 8100->8099 8102 6e2abe abort 8101->8102 8103 6e2a3e ___TypeMatch 8101->8103 8103->8042 8106 6e0cde 8104->8106 8105 6e0d2a abort 8106->8105 8107 6e0d14 8106->8107 8107->8074 8109 6e1fa7 8108->8109 8110 6e1f9a 8108->8110 8148 6e0eb3 RtlUnwind 8109->8148 8144 6e1eef 8110->8144 8113 6e1fbc 8114 6e2942 __FrameHandler3::FrameUnwindToState 14 API calls 8113->8114 8115 6e1fcd __FrameHandler3::FrameUnwindToState 8114->8115 8149 6e26d2 8115->8149 8117 6e1ff5 __InternalCxxFrameHandler 8117->8074 8119 6e24d8 8118->8119 8120 6e23c3 8118->8120 8119->8062 8121 6e1c8c __InternalCxxFrameHandler 13 API calls 8120->8121 8122 6e23ca 8121->8122 8123 6e240c 8122->8123 8124 6e23d1 EncodePointer 8122->8124 8123->8119 8125 6e24dd abort 8123->8125 8126 6e2429 8123->8126 8127 6e1c8c __InternalCxxFrameHandler 13 API calls 8124->8127 8128 6e0cc0 __InternalCxxFrameHandler abort 8126->8128 8129 6e23df 8127->8129 8130 6e2440 8128->8130 8129->8123 8131 6e0d8d __InternalCxxFrameHandler 13 API calls 8129->8131 8130->8119 8132 6e1f88 __InternalCxxFrameHandler 22 API calls 8130->8132 8131->8123 8132->8130 8133->8081 8135 6e28ad __EH_prolog3_catch 8134->8135 8136 6e1c8c __InternalCxxFrameHandler 13 API calls 8135->8136 8137 6e28b2 8136->8137 8138 6e28d5 abort 8137->8138 8206 6e2f78 8137->8206 8145 6e1efb ___scrt_is_nonwritable_in_current_image 8144->8145 8163 6e1db1 8145->8163 8147 6e1f23 __InternalCxxFrameHandler ___AdjustPointer 8147->8109 8148->8113 8150 6e26de ___scrt_is_nonwritable_in_current_image 8149->8150 8168 6e0f37 8150->8168 8153 6e1c8c __InternalCxxFrameHandler 13 API calls 8154 6e270a 8153->8154 8155 6e1c8c __InternalCxxFrameHandler 13 API calls 8154->8155 8156 6e2715 8155->8156 8157 6e1c8c __InternalCxxFrameHandler 13 API calls 8156->8157 8158 6e2720 8157->8158 8159 6e1c8c __InternalCxxFrameHandler 13 API calls 8158->8159 8160 6e2728 __InternalCxxFrameHandler 8159->8160 8173 6e2825 8160->8173 8162 6e280d 8162->8117 8165 6e1dbd ___scrt_is_nonwritable_in_current_image 8163->8165 8164 6e1ee9 abort 8167 6e1eef ___scrt_is_nonwritable_in_current_image __InternalCxxFrameHandler ___AdjustPointer 8164->8167 8165->8164 8166 6e1e38 _Yarn ___AdjustPointer 8165->8166 8166->8147 8167->8147 8169 6e1c8c __InternalCxxFrameHandler 13 API calls 8168->8169 8170 6e0f48 8169->8170 8171 6e1c8c __InternalCxxFrameHandler 13 API calls 8170->8171 8172 6e0f53 8171->8172 8172->8153 8182 6e0f5b 8173->8182 8175 6e2836 8176 6e1c8c __InternalCxxFrameHandler 13 API calls 8175->8176 8177 6e283c 8176->8177 8178 6e1c8c __InternalCxxFrameHandler 13 API calls 8177->8178 8179 6e2847 8178->8179 8181 6e2888 __InternalCxxFrameHandler 8179->8181 8198 6e1186 8179->8198 8181->8162 8183 6e1c8c __InternalCxxFrameHandler 13 API calls 8182->8183 8184 6e0f64 8183->8184 8185 6e0f6c 8184->8185 8186 6e0f7a 8184->8186 8187 6e1c8c __InternalCxxFrameHandler 13 API calls 8185->8187 8188 6e1c8c __InternalCxxFrameHandler 13 API calls 8186->8188 8192 6e0f74 8187->8192 8190 6e0f7f 8188->8190 8189 6e0f9d abort 8191 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 8189->8191 8190->8189 8190->8192 8194 6e0fb7 ___CxxFrameHandler 8191->8194 8192->8175 8193 6e0fc2 8193->8175 8194->8193 8195 6e1011 8194->8195 8201 6e0eb3 RtlUnwind 8194->8201 8202 6e0d8d 8195->8202 8199 6e1c8c __InternalCxxFrameHandler 13 API calls 8198->8199 8200 6e118e 8199->8200 8200->8181 8201->8195 8203 6e0daf __InternalCxxFrameHandler 8202->8203 8205 6e0d9d 8202->8205 8204 6e1c8c __InternalCxxFrameHandler 13 API calls 8203->8204 8204->8205 8205->8193 8207 6e1c8c __InternalCxxFrameHandler 13 API calls 8206->8207 8208 6e2f7e terminate 8207->8208 8597 6d2340 RegisterEventSourceW 8598 6d23c0 8597->8598 8599 6d2477 ReportEventW DeregisterEventSource 8598->8599 8600 6d24b3 8599->8600 8601 6d24dd std::ios_base::_Ios_base_dtor 8599->8601 8600->8601 8603 6d24d7 _invalid_parameter_noinfo_noreturn 8600->8603 8602 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 8601->8602 8604 6d24fe 8602->8604 8603->8601 8412 6d3e43 8417 6d3693 8412->8417 8414 6d3e5b 8415 6d42f3 4 API calls 8414->8415 8416 6d3e83 8415->8416 8418 6d49b3 GlobalAlloc 8417->8418 8419 6d36a1 8418->8419 8419->8414 8608 6e275e 8611 6e28e0 8608->8611 8610 6e2766 8612 6e2926 8611->8612 8613 6e28f0 8611->8613 8612->8610 8613->8612 8614 6e1c8c __InternalCxxFrameHandler 13 API calls 8613->8614 8615 6e291c 8614->8615 8615->8610 8215 6db15b 8216 6db161 8215->8216 8217 6d21b0 19 API calls 8216->8217 8218 6db18b 8217->8218 7864 6d1050 7865 6d1061 7864->7865 7866 6e02da 2 API calls 7865->7866 7867 6d106b 7866->7867 7868 6d1450 7869 6e1245 ___std_exception_copy 3 API calls 7868->7869 7870 6d1473 7869->7870 8423 6d1e50 8424 6dfedb __Towupper 2 API calls 8423->8424 8425 6d1e5f 8424->8425 8426 6d9e50 8427 6d9e9b std::ios_base::_Ios_base_dtor 8426->8427 8428 6d9ec2 8426->8428 8430 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 8427->8430 8429 6db250 39 API calls 8428->8429 8433 6d9eec 8429->8433 8431 6da08b 8430->8431 8432 6d1260 2 API calls 8434 6d9f91 8432->8434 8433->8432 8434->8427 8435 6da062 _invalid_parameter_noinfo_noreturn 8434->8435 8435->8427 8436 6dae2d 8437 6d1490 4 API calls 8436->8437 8438 6dae32 8437->8438 8224 6e0529 _seh_filter_exe 8439 6df62a 8440 6df637 8439->8440 8441 6df64f 8439->8441 8440->8441 8443 6dff3f DeleteCriticalSection 8440->8443 8443->8440 8230 6e053d 8231 6e0a57 GetModuleHandleW 8230->8231 8232 6e0545 8231->8232 8233 6e057b _exit 8232->8233 8234 6e0549 8232->8234 8235 6e054f _c_exit 8234->8235 8236 6e0554 8234->8236 8235->8236 7589 6e0330 _set_app_type 7615 6e0bed 7589->7615 7591 6e033d _set_fmode 7616 6d3ee0 7591->7616 7595 6e0937 4 API calls 7596 6e03da 7595->7596 7628 6e0c29 7596->7628 7597 6e0358 __RTC_Initialize 7613 6e03c4 7597->7613 7631 6e02da 7597->7631 7600 6e03e5 7601 6e0371 7602 6e0376 _configure_wide_argv 7601->7602 7603 6e0382 7602->7603 7602->7613 7634 6e0bf3 InitializeSListHead 7603->7634 7605 6e0387 7606 6e0390 __setusermatherr 7605->7606 7607 6e039b 7605->7607 7606->7607 7635 6e0c02 _controlfp_s 7607->7635 7609 6e03aa 7610 6e03af _configthreadlocale 7609->7610 7611 6e03bb ___scrt_uninitialize_crt 7610->7611 7612 6e03bf _initialize_wide_environment 7611->7612 7611->7613 7612->7613 7613->7595 7614 6e03d2 7613->7614 7615->7591 7617 6d3f17 __p__commode 7616->7617 7618 6e014d 7617->7618 7619 6e0159 7618->7619 7620 6e015d 7618->7620 7619->7597 7621 6e01cc 7620->7621 7624 6e016a ___scrt_release_startup_lock 7620->7624 7622 6e0937 4 API calls 7621->7622 7623 6e01d3 7622->7623 7625 6e0177 _initialize_onexit_table 7624->7625 7627 6e0195 7624->7627 7626 6e0186 _initialize_onexit_table 7625->7626 7625->7627 7626->7627 7627->7597 7640 6d5ca0 7628->7640 7630 6e0c2e 7630->7600 7650 6e02ad 7631->7650 7634->7605 7636 6e0c1a 7635->7636 7637 6e0c1b 7635->7637 7636->7609 7638 6e0937 4 API calls 7637->7638 7639 6e0c22 7638->7639 7641 6d5ca6 7640->7641 7642 6d49b3 GlobalAlloc 7641->7642 7643 6d5cce 7642->7643 7644 6d5ceb VirtualProtect 7643->7644 7648 6d42a3 7644->7648 7647 6d5d84 7647->7630 7649 6d42af VirtualProtect 7648->7649 7649->7647 7651 6e02bc _crt_atexit 7650->7651 7652 6e02c3 _register_onexit_function 7650->7652 7653 6e02ce 7651->7653 7652->7653 7653->7601 7880 6d1005 7881 6e02da 2 API calls 7880->7881 7882 6d100a 7881->7882 8625 6e0f06 8626 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 8625->8626 8627 6e0f18 ___CxxFrameHandler 8626->8627 6848 6e0402 6849 6e040e ___scrt_is_nonwritable_in_current_image 6848->6849 6872 6e0114 6849->6872 6851 6e0415 6852 6e056e 6851->6852 6855 6e043f 6851->6855 6891 6e0937 IsProcessorFeaturePresent 6852->6891 6854 6e0575 exit 6856 6e057b _exit 6854->6856 6857 6e0443 _initterm_e 6855->6857 6862 6e048c ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 6855->6862 6858 6e045e 6857->6858 6859 6e046f _initterm 6857->6859 6859->6862 6860 6e04e0 _get_initial_wide_environment __p___wargv __p___argc 6880 6df340 6860->6880 6862->6860 6864 6e04d8 _register_thread_local_exe_atexit_callback 6862->6864 6863 6e04fc 6885 6e0a57 GetModuleHandleW 6863->6885 6864->6860 6867 6e050a 6868 6e050e _cexit 6867->6868 6869 6e0513 6867->6869 6868->6869 6887 6e0285 6869->6887 6873 6e011d 6872->6873 6895 6e0620 IsProcessorFeaturePresent 6873->6895 6877 6e012e ___scrt_uninitialize_crt 6878 6e0132 6877->6878 6905 6e1a6f 6877->6905 6878->6851 6881 6df34f 6880->6881 6965 6de8c0 6881->6965 6884 6df422 6884->6863 6886 6e0506 6885->6886 6886->6854 6886->6867 6888 6e0291 ___scrt_uninitialize_crt 6887->6888 6889 6e02a7 6888->6889 6890 6e1a6f ___scrt_uninitialize_crt 8 API calls 6888->6890 6889->6858 6890->6889 6892 6e094d 6891->6892 6893 6e09f8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6892->6893 6894 6e0a43 6893->6894 6894->6854 6896 6e0129 6895->6896 6897 6e1a50 6896->6897 6911 6e2b7c 6897->6911 6900 6e1a59 6900->6877 6902 6e1a61 6903 6e1a6c 6902->6903 6925 6e2bb8 6902->6925 6903->6877 6906 6e1a78 6905->6906 6907 6e1a82 6905->6907 6908 6e1d96 ___vcrt_uninitialize_ptd 7 API calls 6906->6908 6907->6878 6909 6e1a7d 6908->6909 6910 6e2bb8 ___vcrt_uninitialize_locks DeleteCriticalSection 6909->6910 6910->6907 6912 6e2b85 6911->6912 6914 6e2bae 6912->6914 6915 6e1a55 6912->6915 6929 6e2f31 6912->6929 6916 6e2bb8 ___vcrt_uninitialize_locks DeleteCriticalSection 6914->6916 6915->6900 6917 6e1d63 6915->6917 6916->6915 6946 6e2e42 6917->6946 6920 6e1d78 6920->6902 6923 6e1d93 6923->6902 6926 6e2bc3 6925->6926 6928 6e2be2 6925->6928 6927 6e2bcd DeleteCriticalSection 6926->6927 6927->6927 6927->6928 6928->6900 6934 6e2d57 6929->6934 6932 6e2f69 InitializeCriticalSectionAndSpinCount 6933 6e2f54 6932->6933 6933->6912 6935 6e2d74 6934->6935 6938 6e2d78 6934->6938 6935->6932 6935->6933 6936 6e2de0 GetProcAddress 6936->6935 6938->6935 6938->6936 6939 6e2dd1 6938->6939 6941 6e2df7 LoadLibraryExW 6938->6941 6939->6936 6940 6e2dd9 FreeLibrary 6939->6940 6940->6936 6942 6e2e0e GetLastError 6941->6942 6943 6e2e3e 6941->6943 6942->6943 6944 6e2e19 wcsncmp 6942->6944 6943->6938 6944->6943 6945 6e2e2f LoadLibraryExW 6944->6945 6945->6938 6947 6e2d57 ___vcrt_FlsGetValue 6 API calls 6946->6947 6948 6e2e5c 6947->6948 6949 6e2e75 TlsAlloc 6948->6949 6950 6e1d6d 6948->6950 6950->6920 6951 6e2ef3 6950->6951 6952 6e2d57 ___vcrt_FlsGetValue 6 API calls 6951->6952 6953 6e2f0d 6952->6953 6954 6e2f28 TlsSetValue 6953->6954 6955 6e1d86 6953->6955 6954->6955 6955->6923 6956 6e1d96 6955->6956 6957 6e1da6 6956->6957 6958 6e1da0 6956->6958 6957->6920 6960 6e2e7d 6958->6960 6961 6e2d57 ___vcrt_FlsGetValue 6 API calls 6960->6961 6962 6e2e97 6961->6962 6963 6e2eaf TlsFree 6962->6963 6964 6e2ea3 6962->6964 6963->6964 6964->6957 7056 6db980 6965->7056 6967 6de935 6997 6de9b9 std::ios_base::_Ios_base_dtor 6967->6997 7008 6dcb60 6967->7008 6972 6df307 _invalid_parameter_noinfo_noreturn 6973 6df30d std::ios_base::_Ios_base_dtor 6972->6973 7138 6e0052 6973->7138 6974 6df330 7 API calls 6974->6884 6975 6de9b5 6978 6de9f2 6975->6978 6975->6997 7047 6dab99 GetPEB 6975->7047 6978->6975 6979 6dea8c _invalid_parameter_noinfo_noreturn 6978->6979 6980 6dead6 std::ios_base::_Ios_base_dtor 6978->6980 6979->6978 7069 6d1260 6980->7069 6981 6dcb60 17 API calls 6984 6deb1d 6981->6984 6982 6d1260 2 API calls 6983 6dec32 6982->6983 7076 6ddeb0 6983->7076 6984->6981 6985 6debdc std::ios_base::_Ios_base_dtor 6984->6985 6987 6deba5 _invalid_parameter_noinfo_noreturn 6984->6987 6984->6997 6985->6982 6987->6984 6990 6ded2e GetProcAddress 6993 6ded49 6990->6993 6999 6ded89 6990->6999 6991 6deeb4 GetProcAddress 6995 6deed3 6991->6995 6998 6def91 6991->6998 6992 6decad 6992->6990 6992->6991 6992->6997 7128 6de7f0 6993->7128 6996 6def28 GetProcAddress 6995->6996 6995->6997 6996->6997 6997->6972 6997->6973 7000 6d1140 GetProcAddress 6998->7000 7134 6d1140 GetProcAddress 6999->7134 7001 6df03e 7000->7001 7002 6de410 7 API calls 7001->7002 7006 6df050 7002->7006 7004 6dee6a 7136 6de410 7 API calls 7004->7136 7006->6997 7007 6de7f0 6 API calls 7006->7007 7007->6997 7010 6dcbb5 7008->7010 7019 6dcbdc std::ios_base::_Ios_base_dtor 7008->7019 7009 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7012 6dcc3c 7009->7012 7011 6dcbe0 GetFullPathNameW 7010->7011 7014 6dcbc8 GetFileAttributesExW 7010->7014 7015 6dcc43 7011->7015 7011->7019 7012->6997 7029 6de500 7012->7029 7014->7011 7014->7019 7016 6dccad 7015->7016 7017 6dcc75 7015->7017 7018 6dccb6 GetFullPathNameW 7016->7018 7149 6dd4f0 7016->7149 7145 6d4e20 7017->7145 7028 6dcca2 std::ios_base::_Ios_base_dtor _Yarn 7018->7028 7019->7009 7023 6dcf56 GetFileAttributesExW 7023->7028 7024 6d4e20 GlobalAlloc 7024->7028 7025 6dcd6d _invalid_parameter_noinfo_noreturn 7025->7028 7026 6dd4f0 12 API calls 7026->7028 7028->7019 7028->7023 7028->7024 7028->7025 7028->7026 7176 6d4cf0 7028->7176 7030 6de548 7029->7030 7030->7030 7031 6de562 MultiByteToWideChar 7030->7031 7032 6de7a0 std::ios_base::_Ios_base_dtor 7031->7032 7033 6de583 7031->7033 7036 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7032->7036 7034 6de58a MultiByteToWideChar 7033->7034 7035 6dd4f0 12 API calls 7033->7035 7034->7032 7039 6de5d4 7034->7039 7035->7034 7038 6de7d5 7036->7038 7038->6975 7040 6de6b6 7039->7040 7042 6de7dc 7039->7042 7040->7032 7041 6de79a _invalid_parameter_noinfo_noreturn 7040->7041 7041->7032 7043 6de898 std::ios_base::_Ios_base_dtor 7042->7043 7046 6de892 _invalid_parameter_noinfo_noreturn 7042->7046 7044 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7043->7044 7045 6de8b9 7044->7045 7045->6975 7046->7043 7048 6daba9 7047->7048 7048->7048 7226 6dab19 GetPEB 7048->7226 7050 6dabcc 7051 6dac94 VirtualProtect 7050->7051 7052 6dad10 7050->7052 7053 6dacc8 7051->7053 7054 6dace0 VirtualProtect 7051->7054 7052->6978 7053->7054 7228 6d5d93 7054->7228 7057 6db9e4 7056->7057 7058 6dd4f0 12 API calls 7057->7058 7059 6dba0c GetModuleFileNameW 7057->7059 7058->7059 7059->7057 7060 6dba30 7059->7060 7061 6dba3d 7060->7061 7062 6dd4f0 12 API calls 7060->7062 7064 6dba34 7060->7064 7061->7064 7068 6d4e20 GlobalAlloc 7061->7068 7062->7061 7063 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7067 6dbad4 7063->7067 7065 6dbaaa _invalid_parameter_noinfo_noreturn 7064->7065 7066 6dbab0 std::ios_base::_Ios_base_dtor 7064->7066 7065->7066 7066->7063 7067->6967 7068->7064 7070 6d126b 7069->7070 7071 6d128c std::ios_base::_Ios_base_dtor 7069->7071 7070->7071 7072 6d12ad _invalid_parameter_noinfo_noreturn 7070->7072 7071->6984 7073 6d12c0 7072->7073 7074 6d12e4 std::ios_base::_Ios_base_dtor 7073->7074 7075 6d12f4 _invalid_parameter_noinfo_noreturn 7073->7075 7074->6984 7077 6ddf13 std::ios_base::_Ios_base_dtor 7076->7077 7078 6de3d7 _invalid_parameter_noinfo_noreturn 7077->7078 7079 6ddffc 7077->7079 7081 6ddfbd 7077->7081 7080 6ddff5 std::ios_base::_Ios_base_dtor 7078->7080 7090 6de042 7079->7090 7241 6dc630 7079->7241 7085 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7080->7085 7081->7080 7084 6d4e20 GlobalAlloc 7081->7084 7084->7080 7086 6de404 7085->7086 7086->6992 7112 6dbae0 7086->7112 7088 6de07c 7089 6d4e20 GlobalAlloc 7088->7089 7088->7090 7093 6de080 std::ios_base::_Ios_base_dtor 7088->7093 7089->7090 7266 6dcfc0 7090->7266 7093->7078 7093->7080 7094 6de10f 7096 6de12b 7094->7096 7098 6dc630 35 API calls 7094->7098 7095 6de2e5 7300 6dd920 7095->7300 7274 6dbdf0 7096->7274 7100 6de11d 7098->7100 7100->7096 7103 6dbcb0 14 API calls 7100->7103 7103->7096 7104 6de180 std::ios_base::_Ios_base_dtor 7105 6de2aa _invalid_parameter_noinfo_noreturn 7104->7105 7106 6db980 14 API calls 7104->7106 7107 6de2b0 std::ios_base::_Ios_base_dtor 7105->7107 7109 6de22f 7106->7109 7108 6d1260 2 API calls 7107->7108 7108->7093 7110 6d1260 2 API calls 7109->7110 7111 6de27e 7110->7111 7111->7105 7111->7107 7113 6dbb28 7112->7113 7114 6dbb49 LoadLibraryExW 7113->7114 7115 6dcb60 17 API calls 7113->7115 7116 6dbb68 GetLastError 7114->7116 7117 6dbb81 GetModuleHandleExW 7114->7117 7118 6dbb45 7115->7118 7123 6dbb72 std::ios_base::_Ios_base_dtor 7116->7123 7119 6dbbc6 7117->7119 7117->7123 7118->7114 7118->7116 7120 6db980 14 API calls 7119->7120 7119->7123 7126 6dbbf8 7120->7126 7121 6dbc83 std::ios_base::_Ios_base_dtor 7122 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7121->7122 7124 6dbca6 7122->7124 7123->7121 7125 6dbc7d _invalid_parameter_noinfo_noreturn 7123->7125 7124->6992 7125->7121 7126->7123 7127 6dbc3d _invalid_parameter_noinfo_noreturn 7126->7127 7127->7123 7130 6de827 7128->7130 7129 6de898 std::ios_base::_Ios_base_dtor 7131 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7129->7131 7130->7129 7133 6de892 _invalid_parameter_noinfo_noreturn 7130->7133 7132 6de8b9 7131->7132 7132->6997 7133->7129 7135 6d1154 7134->7135 7135->7004 7137 6de475 7136->7137 7137->6997 7139 6e005a 7138->7139 7140 6e005b IsProcessorFeaturePresent 7138->7140 7139->6974 7142 6e083d 7140->7142 7559 6e0800 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7142->7559 7144 6e0920 7144->6974 7147 6d4e4b 7145->7147 7146 6d4e7b 7146->7028 7147->7146 7179 6d4ef3 7147->7179 7150 6dd559 7149->7150 7151 6dd512 7149->7151 7152 6dd568 7150->7152 7153 6dd682 7150->7153 7151->7018 7155 6d4cf0 2 API calls 7152->7155 7190 6d1490 7153->7190 7168 6dd5ab _Yarn 7155->7168 7166 6dd622 std::ios_base::_Ios_base_dtor _Yarn 7166->7018 7168->7166 7171 6dd63b _invalid_parameter_noinfo_noreturn 7168->7171 7171->7166 7222 6d3f23 7176->7222 7178 6d4cf9 7178->7028 7182 6d3cd3 7179->7182 7181 6d4f02 7181->7147 7187 6d49b3 7182->7187 7184 6d3ce4 7185 6d49b3 GlobalAlloc 7184->7185 7186 6d3d06 7185->7186 7186->7181 7188 6d49cf GlobalAlloc 7187->7188 7189 6d49c3 7187->7189 7188->7184 7189->7188 7195 6df7fa 7190->7195 7204 6df6eb 7195->7204 7199 6df819 7210 6df74b 7199->7210 7202 6e12ec CallUnexpected RaiseException 7203 6df839 7202->7203 7213 6d1300 7204->7213 7207 6e12ec 7208 6e1306 7207->7208 7209 6e1333 RaiseException 7207->7209 7208->7209 7209->7199 7211 6d1300 std::invalid_argument::invalid_argument 3 API calls 7210->7211 7212 6df75d 7211->7212 7212->7202 7216 6e1245 7213->7216 7217 6d132d 7216->7217 7218 6e1252 7216->7218 7217->7207 7218->7217 7219 6e1262 malloc 7218->7219 7220 6e128f free 7219->7220 7221 6e1276 strcpy_s 7219->7221 7220->7217 7221->7220 7223 6d49b3 GlobalAlloc 7222->7223 7224 6d3f34 7223->7224 7225 6d3f47 LoadLibraryW 7224->7225 7225->7178 7227 6dab2d 7226->7227 7227->7050 7231 6d5133 7228->7231 7232 6d519c 7231->7232 7237 6d40e3 7232->7237 7234 6d51d1 7235 6d40e3 GetPEB 7234->7235 7236 6d51e8 7235->7236 7240 6d50e3 GetPEB 7237->7240 7239 6d4103 7239->7234 7240->7239 7242 6dc6c7 7241->7242 7243 6dc696 7241->7243 7333 6dc740 7242->7333 7320 6dca70 7243->7320 7246 6dc6a3 7246->7242 7247 6dc6a7 7246->7247 7249 6d4e20 GlobalAlloc 7247->7249 7250 6dc6c1 7247->7250 7248 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7251 6dc72b 7248->7251 7249->7250 7252 6dc702 _invalid_parameter_noinfo_noreturn 7250->7252 7253 6dc708 std::ios_base::_Ios_base_dtor 7250->7253 7251->7088 7254 6dbcb0 7251->7254 7252->7253 7253->7248 7255 6dbd16 7254->7255 7256 6dbd43 GetCurrentProcess IsWow64Process 7254->7256 7257 6dca70 6 API calls 7255->7257 7262 6dbd41 7256->7262 7258 6dbd23 7257->7258 7258->7256 7259 6dbd27 7258->7259 7260 6d4e20 GlobalAlloc 7259->7260 7259->7262 7260->7262 7261 6dbdc1 std::ios_base::_Ios_base_dtor 7263 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7261->7263 7262->7261 7264 6dbdbb _invalid_parameter_noinfo_noreturn 7262->7264 7265 6dbde4 7263->7265 7264->7261 7265->7088 7267 6dcff2 7266->7267 7268 6dcb60 17 API calls 7267->7268 7269 6dd003 7268->7269 7270 6dd037 std::ios_base::_Ios_base_dtor 7269->7270 7273 6dd031 _invalid_parameter_noinfo_noreturn 7269->7273 7271 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7270->7271 7272 6dd059 7271->7272 7272->7094 7272->7095 7273->7270 7275 6dbe7b 7274->7275 7276 6dca70 6 API calls 7275->7276 7279 6dc08d std::ios_base::_Ios_base_dtor _Yarn 7275->7279 7284 6dbebb std::ios_base::_Ios_base_dtor 7276->7284 7277 6dc3dc _invalid_parameter_noinfo_noreturn 7280 6dc3e2 std::ios_base::_Ios_base_dtor 7277->7280 7278 6dc40c 7283 6d1490 4 API calls 7278->7283 7279->7277 7282 6dc361 _invalid_parameter_noinfo_noreturn 7279->7282 7286 6dc367 std::ios_base::_Ios_base_dtor 7279->7286 7287 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7280->7287 7281 6dc0c2 7288 6d4cf0 2 API calls 7281->7288 7282->7286 7285 6dc416 7283->7285 7284->7277 7284->7278 7284->7279 7284->7281 7286->7277 7286->7280 7289 6dc403 7287->7289 7288->7279 7290 6dc420 7289->7290 7291 6dc490 7290->7291 7291->7291 7292 6dc61e 7291->7292 7297 6dc4b1 std::ios_base::_Ios_base_dtor 7291->7297 7293 6d1490 4 API calls 7292->7293 7294 6dc623 7293->7294 7295 6dc5f2 std::ios_base::_Ios_base_dtor 7298 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7295->7298 7296 6dc5ec _invalid_parameter_noinfo_noreturn 7296->7295 7297->7295 7297->7296 7299 6dc615 7298->7299 7299->7104 7301 6dd984 7300->7301 7394 6dd060 7301->7394 7303 6dde7a _invalid_parameter_noinfo_noreturn 7304 6dde80 std::ios_base::_Ios_base_dtor 7303->7304 7305 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7304->7305 7306 6ddea7 7305->7306 7306->7093 7307 6ddc04 7319 6ddc32 std::ios_base::_Ios_base_dtor 7307->7319 7413 6daf50 7307->7413 7309 6ddc83 7312 6daf50 19 API calls 7309->7312 7310 6dd9e4 std::ios_base::_Ios_base_dtor 7310->7303 7310->7307 7311 6d4e20 GlobalAlloc 7310->7311 7311->7310 7314 6ddc95 7312->7314 7313 6ddcbd 7316 6ddcdb 7313->7316 7317 6db710 19 API calls 7313->7317 7314->7313 7419 6db710 7314->7419 7425 6d34a0 7316->7425 7317->7316 7319->7303 7319->7304 7321 6dca8c GetEnvironmentVariableW 7320->7321 7322 6dca8a 7320->7322 7323 6dcad7 7321->7323 7324 6dcaa0 GetLastError 7321->7324 7322->7321 7327 6dcaed GetEnvironmentVariableW 7323->7327 7325 6dcaad GetLastError 7324->7325 7326 6dcab7 7324->7326 7325->7326 7326->7246 7328 6dcaff GetLastError 7327->7328 7329 6dcb29 7327->7329 7330 6dcb09 7328->7330 7331 6d4e20 GlobalAlloc 7329->7331 7330->7246 7332 6dcb48 7331->7332 7332->7246 7334 6dc790 7333->7334 7335 6dbdf0 18 API calls 7334->7335 7336 6dc7bf 7335->7336 7337 6dc82d RegOpenKeyExW 7336->7337 7338 6dc420 10 API calls 7336->7338 7339 6dc890 RegGetValueW 7337->7339 7367 6dc858 std::ios_base::_Ios_base_dtor 7337->7367 7345 6dc7db 7338->7345 7340 6dc9ee 7339->7340 7341 6dc8b7 7339->7341 7344 6dc9f9 RegCloseKey 7340->7344 7341->7340 7342 6dc8c2 7341->7342 7343 6dc938 RegGetValueW 7342->7343 7348 6dc908 7342->7348 7349 6dc8e1 7342->7349 7346 6dc974 7343->7346 7347 6dc957 7343->7347 7344->7367 7345->7337 7353 6dc823 std::ios_base::_Ios_base_dtor 7345->7353 7358 6dc81d _invalid_parameter_noinfo_noreturn 7345->7358 7359 6d4e20 GlobalAlloc 7346->7359 7355 6dc962 RegCloseKey 7347->7355 7352 6e006e std::_Facet_Register 6 API calls 7348->7352 7361 6dc8f2 7348->7361 7350 6dc8ec 7349->7350 7351 6dca66 7349->7351 7378 6e006e 7350->7378 7388 6d13f0 7351->7388 7352->7361 7353->7337 7355->7367 7357 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7362 6dca5f 7357->7362 7358->7353 7363 6dc999 RegCloseKey 7359->7363 7360 6dca35 _invalid_parameter_noinfo_noreturn 7366 6dca3b std::ios_base::_Ios_base_dtor 7360->7366 7361->7343 7361->7360 7362->7250 7363->7367 7366->7357 7367->7360 7367->7366 7368 6dcad7 7372 6dcaed GetEnvironmentVariableW 7368->7372 7369 6dcaa0 GetLastError 7370 6dcaad GetLastError 7369->7370 7371 6dcab7 7369->7371 7370->7371 7371->7250 7373 6dcaff GetLastError 7372->7373 7374 6dcb29 7372->7374 7375 6dcb09 7373->7375 7376 6d4e20 GlobalAlloc 7374->7376 7375->7250 7377 6dcb48 7376->7377 7377->7250 7379 6e0080 malloc 7378->7379 7380 6e008d 7379->7380 7381 6e0073 _callnewh 7379->7381 7380->7361 7381->7379 7383 6d13f0 Concurrency::cancel_current_task 7381->7383 7382 6e0099 7382->7382 7383->7382 7384 6e12ec CallUnexpected RaiseException 7383->7384 7385 6d140c 7384->7385 7386 6e1245 ___std_exception_copy 3 API calls 7385->7386 7387 6d1433 7386->7387 7387->7361 7389 6d13fe Concurrency::cancel_current_task 7388->7389 7390 6e12ec CallUnexpected RaiseException 7389->7390 7391 6d140c 7390->7391 7392 6e1245 ___std_exception_copy 3 API calls 7391->7392 7393 6d1433 GetEnvironmentVariableW 7392->7393 7393->7368 7393->7369 7395 6dd0bb 7394->7395 7397 6dd0ef 7395->7397 7399 6dcb60 17 API calls 7395->7399 7396 6dd4e8 7398 6d1490 4 API calls 7396->7398 7397->7396 7401 6d4cf0 2 API calls 7397->7401 7406 6dd13d _Yarn 7397->7406 7408 6dd442 std::ios_base::_Ios_base_dtor 7397->7408 7400 6dd4ed 7398->7400 7399->7397 7401->7406 7402 6dd4be std::ios_base::_Ios_base_dtor 7403 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7402->7403 7405 6dd4df 7403->7405 7404 6dd4b8 _invalid_parameter_noinfo_noreturn 7404->7402 7405->7310 7407 6dd1c2 FindFirstFileExW 7406->7407 7407->7408 7412 6dd1f5 std::ios_base::_Ios_base_dtor _Yarn 7407->7412 7408->7402 7408->7404 7409 6dd419 FindNextFileW 7410 6dd436 FindClose 7409->7410 7409->7412 7410->7408 7411 6d4cf0 2 API calls 7411->7412 7412->7396 7412->7404 7412->7409 7412->7411 7414 6daf99 7413->7414 7429 6d5b10 7414->7429 7417 6db18b 7417->7309 7420 6db75a 7419->7420 7421 6d5b10 2 API calls 7420->7421 7422 6db776 7421->7422 7423 6d21b0 19 API calls 7422->7423 7424 6db908 7423->7424 7424->7313 7426 6d49b3 GlobalAlloc 7425->7426 7428 6d340d 7426->7428 7427 6d344d 7427->7319 7428->7425 7428->7427 7430 6d5b30 7429->7430 7432 6d5b5e 7430->7432 7433 6d5bad 7430->7433 7449 6d3583 7430->7449 7438 6d21b0 7432->7438 7433->7432 7434 6d49b3 GlobalAlloc 7433->7434 7435 6d5c5a 7434->7435 7436 6d3f23 2 API calls 7435->7436 7437 6d5c91 7436->7437 7439 6d21c9 7438->7439 7440 6d21d1 7438->7440 7441 6e12ec CallUnexpected RaiseException 7439->7441 7442 6d21e0 7439->7442 7440->7417 7441->7442 7452 6d20b0 7442->7452 7445 6e12ec CallUnexpected RaiseException 7446 6d221f 7445->7446 7447 6e1245 ___std_exception_copy 3 API calls 7446->7447 7448 6d2244 7447->7448 7448->7417 7450 6d49b3 GlobalAlloc 7449->7450 7451 6d3596 7450->7451 7451->7433 7453 6d2121 7452->7453 7460 6d1720 7453->7460 7455 6d214b 7456 6d2177 std::ios_base::_Ios_base_dtor 7455->7456 7458 6d2171 _invalid_parameter_noinfo_noreturn 7455->7458 7457 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7456->7457 7459 6d21a0 7457->7459 7458->7456 7459->7445 7461 6d1769 7460->7461 7462 6d1887 7461->7462 7465 6d1781 7461->7465 7463 6d1490 4 API calls 7462->7463 7464 6d188c 7463->7464 7527 6e12a8 7464->7527 7469 6d178d _Yarn 7465->7469 7478 6d53e0 7465->7478 7468 6d18a5 std::ios_base::_Ios_base_dtor 7468->7455 7521 6d1590 7469->7521 7472 6e1245 ___std_exception_copy 3 API calls 7473 6d181e 7472->7473 7474 6d1855 std::ios_base::_Ios_base_dtor 7473->7474 7477 6d184f _invalid_parameter_noinfo_noreturn 7473->7477 7475 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7474->7475 7476 6d1881 7475->7476 7476->7455 7477->7474 7479 6d53ef 7478->7479 7480 6d49b3 GlobalAlloc 7479->7480 7481 6d5460 7480->7481 7530 6d3c03 7481->7530 7483 6d547d 7484 6d3f23 2 API calls 7483->7484 7485 6d549a 7484->7485 7486 6d49b3 GlobalAlloc 7485->7486 7487 6d55a2 7486->7487 7533 6d3b93 7487->7533 7489 6d55bf 7490 6d3f23 2 API calls 7489->7490 7491 6d55d2 7490->7491 7536 6d4a13 7491->7536 7493 6d564a 7543 6d3c83 7493->7543 7495 6d5726 7546 6d42f3 CreateFileW 7495->7546 7497 6d5748 7498 6d5896 7497->7498 7499 6d5842 7497->7499 7501 6d588e 7498->7501 7502 6d49b3 GlobalAlloc 7498->7502 7552 6d4dc3 7499->7552 7503 6d3583 GlobalAlloc 7501->7503 7506 6d5bad 7501->7506 7517 6d5b5e 7501->7517 7504 6d58db 7502->7504 7503->7506 7505 6d49b3 GlobalAlloc 7504->7505 7507 6d5959 7505->7507 7508 6d49b3 GlobalAlloc 7506->7508 7506->7517 7509 6d3cd3 GlobalAlloc 7507->7509 7510 6d5c5a 7508->7510 7511 6d59ab 7509->7511 7512 6d3f23 2 API calls 7510->7512 7511->7501 7514 6d59fb 7511->7514 7513 6d5c91 7512->7513 7515 6d49b3 GlobalAlloc 7514->7515 7519 6d5a06 7515->7519 7516 6d5ac3 7517->7469 7519->7516 7520 6d4ef3 GlobalAlloc 7519->7520 7556 6d36d3 7519->7556 7520->7519 7522 6d15e5 _Yarn 7521->7522 7523 6d16c4 std::ios_base::_Ios_base_dtor 7522->7523 7526 6d16be _invalid_parameter_noinfo_noreturn 7522->7526 7524 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7523->7524 7525 6d170d 7524->7525 7525->7472 7526->7523 7528 6e12bd 7527->7528 7529 6e12b5 free 7527->7529 7528->7468 7529->7528 7531 6d49b3 GlobalAlloc 7530->7531 7532 6d3c12 7531->7532 7532->7483 7534 6d49b3 GlobalAlloc 7533->7534 7535 6d3ba2 7534->7535 7535->7489 7538 6d4a28 7536->7538 7537 6d49b3 GlobalAlloc 7537->7538 7538->7537 7539 6d4a60 NtQuerySystemInformation 7538->7539 7542 6d4a4e 7538->7542 7539->7538 7540 6d4a8c 7539->7540 7541 6d49b3 GlobalAlloc 7540->7541 7541->7542 7542->7493 7544 6d49b3 GlobalAlloc 7543->7544 7545 6d3c91 7544->7545 7545->7495 7547 6d4327 7546->7547 7548 6d4320 7546->7548 7547->7548 7549 6d49b3 GlobalAlloc 7547->7549 7548->7497 7550 6d4363 ReadFile 7549->7550 7550->7548 7551 6d439e FindCloseChangeNotification 7550->7551 7551->7548 7553 6d4de6 7552->7553 7554 6d4e7b 7553->7554 7555 6d4ef3 GlobalAlloc 7553->7555 7554->7501 7555->7553 7557 6d3923 GlobalAlloc 7556->7557 7558 6d3718 7557->7558 7558->7519 7559->7144 8636 6d1f00 8637 6d1f68 8636->8637 8638 6d1f16 8636->8638 8638->8637 8639 6df443 3 API calls 8638->8639 8639->8638 8640 6daf00 free free free 8641 6daf36 std::ios_base::_Ios_base_dtor 8640->8641 8642 6e4300 8643 6e430b 8642->8643 8644 6e4338 std::ios_base::_Ios_base_dtor 8642->8644 8643->8644 8645 6e4332 _invalid_parameter_noinfo_noreturn 8643->8645 8645->8644 8247 6dad1f 8248 6dad30 std::ios_base::_Ios_base_dtor 8247->8248 8249 6dadff _invalid_parameter_noinfo_noreturn 8248->8249 8250 6dae05 std::ios_base::_Ios_base_dtor 8248->8250 8249->8250 8251 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 8250->8251 8252 6dae29 8251->8252 8253 6d1115 8254 6df5cc InitializeCriticalSectionEx 8253->8254 8255 6d111a 8254->8255 8256 6e02da 2 API calls 8255->8256 8257 6d1124 8256->8257 7896 6d1010 __acrt_iob_func 8266 6d1d10 8269 6dfd02 GetStringTypeW 8266->8269 8268 6d1d1f 8269->8268 8456 6d1e10 8457 6d1e1f 8456->8457 8459 6d1e3a 8456->8459 8458 6dfd41 __Towlower 2 API calls 8457->8458 8457->8459 8458->8457 8465 6d22e0 8466 6d22f0 8465->8466 8467 6d2319 __acrt_iob_func fputws __acrt_iob_func fputwc 8466->8467 7897 6e10e0 7900 6e112e 7897->7900 7901 6e10eb 7900->7901 7902 6e1137 7900->7902 7902->7901 7907 6e1c8c 7902->7907 7904 6e1172 7905 6e1c8c __InternalCxxFrameHandler 13 API calls 7904->7905 7906 6e117d terminate 7905->7906 7912 6e1c9a 7907->7912 7909 6e1c91 7910 6e3029 abort 7909->7910 7911 6e1c99 7909->7911 7910->7904 7911->7904 7913 6e1ca6 GetLastError 7912->7913 7914 6e1ca3 7912->7914 7928 6e2eb8 7913->7928 7914->7909 7917 6e1cda 7918 6e1d20 SetLastError 7917->7918 7918->7909 7919 6e2ef3 ___vcrt_FlsSetValue 7 API calls 7920 6e1cd4 7919->7920 7920->7917 7921 6e1cde calloc 7920->7921 7922 6e1cfc 7921->7922 7923 6e1cf0 7921->7923 7925 6e2ef3 ___vcrt_FlsSetValue 7 API calls 7922->7925 7926 6e1d10 free 7922->7926 7924 6e2ef3 ___vcrt_FlsSetValue 7 API calls 7923->7924 7924->7922 7925->7926 7926->7918 7929 6e2d57 ___vcrt_FlsGetValue 6 API calls 7928->7929 7930 6e2ed2 7929->7930 7931 6e2eea TlsGetValue 7930->7931 7932 6e1cbb 7930->7932 7931->7932 7932->7917 7932->7918 7932->7919 7560 6d4cf0 7561 6d3f23 2 API calls 7560->7561 7562 6d4cf9 7561->7562 8278 6d1df0 8281 6dfd41 8278->8281 8282 6d1dff 8281->8282 8283 6dfd57 8281->8283 8283->8282 8285 6e0015 8283->8285 8286 6e0034 LCMapStringEx 8285->8286 8287 6e0020 wcsnlen 8285->8287 8286->8282 8287->8286 8288 6e0032 8287->8288 8288->8286 8654 6e03f0 8658 6e0a99 SetUnhandledExceptionFilter 8654->8658 8656 6e03f5 8657 6e03fa _set_new_mode 8656->8657 8658->8656 8289 6e29ce 8294 6e2970 __CallSettingFrame@12 __FrameHandler3::FrameUnwindToState 8289->8294 8290 6e2a24 abort 8291 6e2a10 __FrameHandler3::FrameUnwindToState 13 API calls 8292 6e29e9 8291->8292 8292->8290 8293 6e29ee __FrameHandler3::FrameUnwindToState 8292->8293 8294->8290 8294->8291 8471 6d5ac9 8474 6d5a19 8471->8474 8472 6d5ac3 8473 6d36d3 GlobalAlloc 8473->8474 8474->8472 8474->8473 8475 6d4ef3 GlobalAlloc 8474->8475 8475->8474 8476 6e32ca 8477 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 8476->8477 8478 6e32db 8477->8478 8479 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 8478->8479 8480 6e32e5 8479->8480 8303 6e29c4 8306 6e11d1 8303->8306 8307 6e11f5 8306->8307 8308 6e11e3 8306->8308 8309 6e1c8c __InternalCxxFrameHandler 13 API calls 8307->8309 8308->8307 8311 6e11eb 8308->8311 8310 6e11fa 8309->8310 8312 6e11f3 8310->8312 8314 6e1c8c __InternalCxxFrameHandler 13 API calls 8310->8314 8311->8312 8313 6e1c8c __InternalCxxFrameHandler 13 API calls 8311->8313 8315 6e1213 8313->8315 8314->8312 8316 6e1c8c __InternalCxxFrameHandler 13 API calls 8315->8316 8317 6e121e terminate 8316->8317 8484 6d12c0 8485 6d12d4 8484->8485 8487 6d12e4 std::ios_base::_Ios_base_dtor 8484->8487 8486 6d12f4 _invalid_parameter_noinfo_noreturn 8485->8486 8485->8487 8667 6dfbc0 8668 6df5f9 std::_Lockit::_Lockit 2 API calls 8667->8668 8669 6dfbce __Deletegloballocale 8668->8669 8670 6df651 std::_Lockit::~_Lockit 2 API calls 8669->8670 8671 6dfbe8 8670->8671 7953 6d10d5 7958 6df5cc 7953->7958 7956 6e02da 2 API calls 7957 6d10e4 7956->7957 7959 6df5dc 7958->7959 7960 6d10da 7958->7960 7959->7960 7962 6dff4d InitializeCriticalSectionEx 7959->7962 7960->7956 7962->7959 8318 6df9d4 8319 6df9e0 __EH_prolog3 8318->8319 8320 6df5f9 std::_Lockit::_Lockit 2 API calls 8319->8320 8321 6df9eb 8320->8321 8322 6dfa1c 8321->8322 8330 6dfb39 8321->8330 8324 6df651 std::_Lockit::~_Lockit 2 API calls 8322->8324 8328 6dfa5c std::locale::_Init 8324->8328 8325 6df9fe 8336 6dfb5c 8325->8336 8329 6df91e _Yarn 2 API calls 8329->8322 8331 6e006e std::_Facet_Register 6 API calls 8330->8331 8332 6dfb44 8331->8332 8333 6dfb58 8332->8333 8340 6df85a 8332->8340 8333->8325 8337 6dfb68 8336->8337 8338 6dfa06 8336->8338 8343 6dffe6 8337->8343 8338->8329 8341 6df91e _Yarn 2 API calls 8340->8341 8342 6df894 8341->8342 8342->8325 8344 6e3029 abort 8343->8344 8345 6dfff6 EncodePointer 8343->8345 8344->8338 8345->8338 7963 6e18d4 7966 6e1d2c 7963->7966 7965 6e18d9 7967 6e1d38 GetLastError 7966->7967 7968 6e1d35 7966->7968 7969 6e2eb8 ___vcrt_FlsGetValue 7 API calls 7967->7969 7968->7965 7970 6e1d4d SetLastError 7969->7970 7970->7965 8496 6e1ed2 8497 6e1ee9 abort 8496->8497 8498 6e1eef ___scrt_is_nonwritable_in_current_image 8497->8498 8499 6e1db1 __InternalCxxFrameHandler abort 8498->8499 8500 6e1f23 __InternalCxxFrameHandler ___AdjustPointer 8499->8500 8501 6df6d0 8504 6d1340 8501->8504 8505 6e1245 ___std_exception_copy 3 API calls 8504->8505 8506 6d1363 8505->8506 8675 6d1fd0 8676 6d1ff4 8675->8676 8677 6d2040 8675->8677 8676->8677 8681 6dfe7f 8676->8681 8678 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 8677->8678 8680 6d2050 8678->8680 8682 6dfea6 WideCharToMultiByte 8681->8682 8683 6dfe91 8681->8683 8682->8683 8685 6dfeca _errno 8682->8685 8684 6dfe9f 8683->8684 8683->8685 8684->8676 8685->8684 8507 6e12d0 8509 6e12d6 __purecall 8507->8509 8508 6e12e6 abort 8509->8508 8510 6e1ad0 8511 6e1aee __InternalCxxFrameHandler 8510->8511 8522 6e1a90 8511->8522 8523 6e1aaf 8522->8523 8524 6e1aa2 8522->8524 8525 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 8524->8525 8525->8523 8346 6dfda1 ___lc_codepage_func calloc 8347 6dfdc4 __pctype_func 8346->8347 8348 6dfde2 __pctype_func 8346->8348 8349 6dfdee ___lc_locale_name_func 8347->8349 8348->8349 8350 6dfdfd _wcsdup 8349->8350 8351 6dfe07 8349->8351 8350->8351 7563 6d28b0 7564 6dca70 6 API calls 7563->7564 7565 6d2933 7564->7565 7566 6d295e 7565->7566 7567 6d2937 _wtoi 7565->7567 7580 6d29be std::ios_base::_Ios_base_dtor 7566->7580 7583 6d27b0 7566->7583 7567->7566 7576 6d340d 7567->7576 7569 6d1260 _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn 7569->7580 7570 6d2a76 _invalid_parameter_noinfo_noreturn 7570->7580 7571 6d2f81 _invalid_parameter_noinfo_noreturn 7571->7580 7572 6d5440 6 API calls 7572->7580 7573 6d3268 std::ios_base::_Ios_base_dtor 7574 6d34a0 GlobalAlloc 7574->7580 7575 6d49b3 GlobalAlloc 7575->7576 7576->7573 7576->7575 7577 6d2510 7 API calls 7577->7580 7578 6d27b0 6 API calls 7578->7580 7579 6d2b61 _invalid_parameter_noinfo_noreturn 7579->7580 7580->7569 7580->7570 7580->7571 7580->7572 7580->7573 7580->7574 7580->7576 7580->7577 7580->7578 7580->7579 7581 6d3277 std::ios_base::_Ios_base_dtor 7580->7581 7582 6d332c MessageBoxW 7581->7582 7582->7573 7584 6d2823 7583->7584 7585 6d2887 std::ios_base::_Ios_base_dtor 7584->7585 7588 6d2881 _invalid_parameter_noinfo_noreturn 7584->7588 7586 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 7585->7586 7587 6d28a9 7586->7587 7587->7580 7588->7585 8529 6d1eb0 8530 6df443 3 API calls 8529->8530 8531 6d1edb 8530->8531 8532 6e0ab0 8533 6e0ae7 8532->8533 8534 6e0ac2 8532->8534 8534->8533 8539 6e1227 8534->8539 8540 6e1c8c __InternalCxxFrameHandler 13 API calls 8539->8540 8541 6e0af4 8540->8541 8542 6e1230 8541->8542 8543 6e1c8c __InternalCxxFrameHandler 13 API calls 8542->8543 8544 6e0afe terminate 8543->8544 8357 6df980 8360 6df8f3 8357->8360 8359 6df98b std::ios_base::_Ios_base_dtor 8365 6dfa64 8360->8365 8363 6df909 free 8364 6df912 8363->8364 8364->8359 8366 6df5f9 std::_Lockit::_Lockit 2 API calls 8365->8366 8367 6dfa78 free 8366->8367 8369 6df651 std::_Lockit::~_Lockit 2 API calls 8367->8369 8370 6df902 8369->8370 8370->8363 8370->8364 8714 6d1380 8715 6e12a8 ___std_exception_destroy free 8714->8715 8716 6d1395 std::ios_base::_Ios_base_dtor 8715->8716 8717 6d1f80 8718 6dfe7f __Wcrtomb 2 API calls 8717->8718 8719 6d1fac 8718->8719 8720 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 8719->8720 8721 6d1fc9 8720->8721 8556 6df690 8557 6d1340 std::bad_exception::bad_exception 3 API calls 8556->8557 8558 6df69e 8557->8558 8000 6e2c90 8001 6e2ca2 8000->8001 8003 6e2cb0 8000->8003 8002 6e0052 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 8001->8002 8002->8003 8386 6e0590 8389 6e0ba2 8386->8389 8388 6e0595 8388->8388 8390 6e0bb8 8389->8390 8392 6e0bc1 8390->8392 8393 6e0b55 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 8390->8393 8392->8388 8393->8392

                                                                                                              Executed Functions

                                                                                                              Function 006DAB99 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 6dab99-6daba8 GetPEB 1 6daba9-6dabaf 0->1 1->1 2 6dabb1-6dabe9 call 6dab19 call 6daa89 1->2 7 6dac39-6dac60 2->7 8 6dabeb-6dabf0 2->8 18 6dac84-6dac92 call 6daa89 7->18 19 6dac62 7->19 9 6dac01-6dac03 8->9 10 6dabf2 8->10 13 6dac0e-6dac18 9->13 14 6dac05-6dac08 9->14 12 6dabf9-6dabff 10->12 12->9 12->12 16 6dac2b-6dac2e 13->16 17 6dac1a-6dac29 13->17 14->13 15 6dac0a 14->15 15->13 16->7 20 6dac30-6dac33 16->20 17->16 17->17 25 6dac94-6dacc6 VirtualProtect 18->25 26 6dad13-6dad1e 18->26 21 6dac69-6dac82 19->21 20->7 23 6dac35 20->23 21->18 21->21 23->7 27 6dacc8 25->27 28 6dace0-6dad0e VirtualProtect call 6d5d93 25->28 29 6dacc9-6dacde 27->29 31 6dad10 28->31 29->28 29->29 31->26
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNELBASE(006D336F,00005000,00000040,?,?,?,?,00000007,?,?,?,?), ref: 006DACAE
                                                                                                              • VirtualProtect.KERNELBASE(006D336F,00005000,?,?,?,?,?,00000007,?,?,?,?), ref: 006DACF8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID: o3m
                                                                                                              • API String ID: 544645111-2074226138
                                                                                                              • Opcode ID: 1e830b8f7c64ceb3b0189d83f49a0e5242289fec9246af1008cf21fc4b845581
                                                                                                              • Instruction ID: 5527cf62a30a9332c4b25583477fbcb7bd34b3b15024f81b839e47e4e4298c2f
                                                                                                              • Opcode Fuzzy Hash: 1e830b8f7c64ceb3b0189d83f49a0e5242289fec9246af1008cf21fc4b845581
                                                                                                              • Instruction Fuzzy Hash: F9418971A043419FCB14DFA8EC90B76B3E7FB49310F48956AE4458B361D735E850CBA6
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D4A13 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123nativeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 33 6d4a13-6d4a21 34 6d4a28-6d4a2f 33->34 35 6d4b7a-6d4b7e 34->35 36 6d4a35-6d4a4c call 6d49b3 34->36 39 6d4a4e 36->39 40 6d4a53-6d4a80 call 6d4423 NtQuerySystemInformation 36->40 39->35 43 6d4a8c-6d4aa9 call 6d49b3 40->43 44 6d4a82-6d4a8a 40->44 47 6d4aac-6d4ab2 43->47 44->34 48 6d4ab8-6d4abf 47->48 49 6d4b73 47->49 50 6d4ac5-6d4ae5 call 6d4423 48->50 51 6d4b63-6d4b6e 48->51 49->35 54 6d4af0-6d4af6 50->54 51->47 55 6d4b1c-6d4b48 call 6d47e3 call 6d4063 54->55 56 6d4af8-6d4b04 54->56 63 6d4b4a-6d4b50 55->63 64 6d4b52-6d4b5b 55->64 56->55 57 6d4b06-6d4b1a 56->57 57->54 63->51 64->51 65 6d4b5d-6d4b60 64->65 65->51
                                                                                                              APIs
                                                                                                                • Part of subcall function 006D49B3: GlobalAlloc.KERNELBASE(?,00000000,?), ref: 006D49E3
                                                                                                              • NtQuerySystemInformation.NTDLL(00000005,00000000,00040000,00040000), ref: 006D4A77
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocGlobalInformationQuerySystem
                                                                                                              • String ID: JVm$JVm
                                                                                                              • API String ID: 3737350999-1272805911
                                                                                                              • Opcode ID: 7ca443ba4ff18fd1a0dd82d3c5802fab018ac8a71c66cc2ce2756389a81c11f4
                                                                                                              • Instruction ID: 108fbb4f8cf57644172ff34c5020e454534c43798a0378fb180e4fb54a6a665a
                                                                                                              • Opcode Fuzzy Hash: 7ca443ba4ff18fd1a0dd82d3c5802fab018ac8a71c66cc2ce2756389a81c11f4
                                                                                                              • Instruction Fuzzy Hash: 7351EA75D04209EBCB44CF98C890BEEB7B6FF58300F14855AE915AB344DB75AE81CBA4
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D42F3 Relevance: 4.6, APIs: 3, Instructions: 79fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 66 6d42f3-6d431e CreateFileW 67 6d4327-6d4344 66->67 68 6d4320-6d4322 66->68 71 6d4356-6d438c call 6d49b3 ReadFile 67->71 72 6d4346-6d4354 67->72 69 6d43b4-6d43b7 68->69 76 6d439e-6d43b2 FindCloseChangeNotification 71->76 77 6d438e-6d439c 71->77 72->69 76->69 77->69
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000), ref: 006D4315
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: 811ed88586e1a9313cd571564231c22e97687d35a065f62fc27905b3f91c6921
                                                                                                              • Instruction ID: da998bd71e1f90bc34c57fa0e21a8ed7cdf330532e4c5294aa954fe8f29246d4
                                                                                                              • Opcode Fuzzy Hash: 811ed88586e1a9313cd571564231c22e97687d35a065f62fc27905b3f91c6921
                                                                                                              • Instruction Fuzzy Hash: 7B31B175A00108FFCB14DF99C891F9EB7B5EF48310F208199E919AB391DA71AE41DB54
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D5CA0 Relevance: 3.1, APIs: 2, Instructions: 74memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                                • Part of subcall function 006D49B3: GlobalAlloc.KERNELBASE(?,00000000,?), ref: 006D49E3
                                                                                                              • VirtualProtect.KERNELBASE(?,00000000,?,00000000), ref: 006D5D08
                                                                                                              • VirtualProtect.KERNELBASE(?,00000000,00000000,00000000), ref: 006D5D3B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual$AllocGlobal
                                                                                                              • String ID:
                                                                                                              • API String ID: 3893020805-0
                                                                                                              • Opcode ID: 9f469a8fc07bab29a0d25244140180354860aa8e4d3ec3e01d86e5f0fa3499b1
                                                                                                              • Instruction ID: bff81771313aefb145e4ca1ed321ecbe73417ec42fd7b1f7db4ecbfaf1f57f08
                                                                                                              • Opcode Fuzzy Hash: 9f469a8fc07bab29a0d25244140180354860aa8e4d3ec3e01d86e5f0fa3499b1
                                                                                                              • Instruction Fuzzy Hash: 6D3175B5D01118AFDB64DBA8D981FDEB7BAAF8C300F108599E51DA3305E631AE45CF60
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D49B3 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 23memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 90 6d49b3-6d49c1 91 6d49cf-6d49e8 GlobalAlloc 90->91 92 6d49c3-6d49cc 90->92 92->91
                                                                                                              APIs
                                                                                                              • GlobalAlloc.KERNELBASE(?,00000000,?), ref: 006D49E3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocGlobal
                                                                                                              • String ID: `Tm
                                                                                                              • API String ID: 3761449716-1514313607
                                                                                                              • Opcode ID: 9e5e02ec3ae36198606aa10b822d832cfef97aae54456fdc6b76e3fc24730506
                                                                                                              • Instruction ID: 62e278ab91fa34bf7da32c5c3100477a39def7f25a532ea974948ee0e4601564
                                                                                                              • Opcode Fuzzy Hash: 9e5e02ec3ae36198606aa10b822d832cfef97aae54456fdc6b76e3fc24730506
                                                                                                              • Instruction Fuzzy Hash: 0CF0A578A04208EFCB44DF58D480999B7B5FB4C320F10C299FC188B345C630EE81CB94
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D3F23 Relevance: 1.5, APIs: 1, Instructions: 25libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 127 6d3f23-6d3f5f call 6d49b3 call 6d44f3 LoadLibraryW
                                                                                                              APIs
                                                                                                                • Part of subcall function 006D49B3: GlobalAlloc.KERNELBASE(?,00000000,?), ref: 006D49E3
                                                                                                              • LoadLibraryW.KERNELBASE(?), ref: 006D3F54
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocGlobalLibraryLoad
                                                                                                              • String ID:
                                                                                                              • API String ID: 3361179946-0
                                                                                                              • Opcode ID: 1feaf0e274cf16ef0741fa9d108665e6c366966b39e006d739153cc267d6f199
                                                                                                              • Instruction ID: daef65feb8b98604609bbf20b2ae562af5bf3073d2da9483e4ee589b7e1e6152
                                                                                                              • Opcode Fuzzy Hash: 1feaf0e274cf16ef0741fa9d108665e6c366966b39e006d739153cc267d6f199
                                                                                                              • Instruction Fuzzy Hash: 4CE0E575E00108BBCB40DFA8DD9195D7BB9AF48201F108199F90897345E531AE518791
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Non-executed Functions

                                                                                                              Function 006DE8C0 Relevance: 51.4, APIs: 6, Strings: 23, Instructions: 669COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 498 6de8c0-6de92e 499 6de930 call 6db980 498->499 500 6de935-6de937 499->500 501 6df2bd-6df2d6 call 6d6250 500->501 502 6de93d-6de949 call 6dcb60 500->502 507 6df2db-6df2e1 501->507 502->501 508 6de94f-6de9b7 call 6de500 502->508 509 6df317-6df336 call 6e0052 507->509 510 6df2e3-6df2f5 507->510 519 6de9b9-6de9cb call 6d6250 508->519 520 6de9d0 508->520 512 6df30d-6df314 call 6e0060 510->512 513 6df2f7-6df305 510->513 512->509 513->512 516 6df307 _invalid_parameter_noinfo_noreturn 513->516 516->512 527 6df1b7-6df1c0 519->527 521 6de9d2-6de9f0 520->521 525 6dea12-6dea24 521->525 526 6de9f2-6de9f9 521->526 529 6dea26-6dea28 525->529 530 6dea42 525->530 526->525 528 6de9fb 526->528 531 6df1f7-6df21d 527->531 532 6df1c2-6df1d7 527->532 533 6dea00-6dea04 528->533 534 6dea30-6dea34 529->534 535 6dea45-6dea4e call 6dab99 530->535 538 6df21f-6df234 531->538 539 6df254-6df277 531->539 536 6df1ed-6df1f4 call 6e0060 532->536 537 6df1d9-6df1e7 532->537 540 6dea0a-6dea10 533->540 541 6dea92-6dea94 533->541 542 6dea3a-6dea40 534->542 543 6deac5-6deac7 534->543 552 6dea53-6dea5a 535->552 536->531 537->516 537->536 547 6df24a-6df251 call 6e0060 538->547 548 6df236-6df244 538->548 550 6df279-6df28b 539->550 551 6df2a7-6df2bb 539->551 540->525 540->533 541->525 546 6dea9a-6deaa1 541->546 542->530 542->534 543->530 549 6deacd-6dead1 543->549 546->525 554 6deaa7-6deac0 546->554 547->539 548->516 548->547 549->535 556 6df29d-6df2a4 call 6e0060 550->556 557 6df28d-6df29b 550->557 551->507 558 6dea60-6dea66 552->558 559 6deb12-6deb46 call 6d1260 call 6d6670 552->559 554->521 556->551 557->516 557->556 560 6dea68-6dea7a 558->560 561 6deae0-6deb0f 558->561 574 6deb48-6deb52 call 6d6200 559->574 575 6debab-6debb7 call 6dcb60 559->575 566 6dea7c-6dea8a 560->566 567 6dead6-6deadd call 6e0060 560->567 561->559 566->567 569 6dea8c _invalid_parameter_noinfo_noreturn 566->569 567->561 569->541 580 6deb55-6deb6d call 6d6850 574->580 575->580 581 6debb9-6debd7 call 6d6250 575->581 586 6dec27-6decab call 6d1260 call 6ddeb0 580->586 587 6deb73-6deb7c 580->587 581->527 599 6decad-6decb2 586->599 600 6decb4-6decc4 call 6dbae0 586->600 589 6deb7e-6deb93 587->589 590 6debe6-6dec24 587->590 592 6debdc-6debe3 call 6e0060 589->592 593 6deb95-6deba3 589->593 590->586 592->590 593->592 596 6deba5 _invalid_parameter_noinfo_noreturn 593->596 596->575 601 6ded0c-6ded15 599->601 610 6decca-6ded07 call 6d6250 * 3 600->610 611 6decc6-6decc8 600->611 603 6df0b8-6df0be 601->603 604 6ded1b-6ded28 601->604 608 6df0c0-6df0d2 603->608 609 6df0f2-6df10c 603->609 606 6ded2e-6ded47 GetProcAddress 604->606 607 6deeb4-6deecd GetProcAddress 604->607 615 6ded89-6ded9e 606->615 616 6ded49-6ded84 call 6d6200 call 6d6250 call 6de7f0 606->616 617 6def91-6defa6 607->617 618 6deed3-6deeeb call 6d6200 607->618 619 6df0e8-6df0ef call 6e0060 608->619 620 6df0d4-6df0e2 608->620 613 6df10e-6df123 609->613 614 6df143-6df163 609->614 610->601 611->601 627 6df139-6df140 call 6e0060 613->627 628 6df125-6df133 613->628 629 6df19a-6df1b0 614->629 630 6df165-6df17a 614->630 625 6dedac-6dedbd 615->625 626 6deda0-6dedaa 615->626 616->603 621 6defac-6defb6 617->621 622 6defa8-6defaa 617->622 650 6def0d-6def3d call 6d6200 call 6d63b0 GetProcAddress 618->650 651 6deeed-6def08 call 6d6250 618->651 619->609 620->516 620->619 633 6defbd-6defc1 621->633 622->633 636 6dedc3-6dedc7 625->636 626->636 627->614 628->516 628->627 629->527 638 6df17c-6df18a 630->638 639 6df190-6df197 call 6e0060 630->639 642 6defc7-6defce 633->642 643 6defc3-6defc5 633->643 645 6dedc9-6dedd3 636->645 646 6dedd5-6dede0 636->646 638->516 638->639 639->629 653 6defd2-6df08c call 6d6200 * 4 call 6d1140 call 6de410 642->653 643->653 655 6dede6-6deeaf call 6d6200 * 5 call 6d1140 call 6de410 645->655 646->655 672 6def3f-6def6c call 6d6200 call 6d6250 650->672 673 6def71-6def8c 650->673 651->603 703 6df0ad-6df0b3 call 6de4a0 653->703 704 6df08e-6df094 653->704 655->703 672->603 673->603 703->603 704->703 705 6df096-6df09d 704->705 705->703 708 6df09f-6df0a8 call 6de7f0 705->708 708->703
                                                                                                              APIs
                                                                                                                • Part of subcall function 006DB980: GetModuleFileNameW.KERNEL32(00000000,E1E504E9,?,00000082,00000000,E1E504E9,?), ref: 006DBA1C
                                                                                                                • Part of subcall function 006DB980: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000), ref: 006DBAAA
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 006DF307
                                                                                                                • Part of subcall function 006DCB60: GetFileAttributesExW.KERNEL32(?,00000000,?,E1E504E9), ref: 006DCBD2
                                                                                                                • Part of subcall function 006DE500: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,CheckIP.dll,CheckIP.dll,00000000,00000000,E1E504E9,?,?,?,?,?,?,?,?,00000000), ref: 006DE575
                                                                                                                • Part of subcall function 006DE500: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,CheckIP.dll,CheckIP.dll,?,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 006DE5C6
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(E1E504E9,?), ref: 006DEA8C
                                                                                                              Strings
                                                                                                              • https://go.microsoft.com/fwlink/?linkid=798306, xrefs: 006DECF5
                                                                                                              • Probed for and did not resolve library symbol %S, xrefs: 006DED4E, 006DEED8, 006DEF44
                                                                                                              • %s, xrefs: 006DECFA
                                                                                                              • The required library %s does not support relative app dll paths., xrefs: 006DEEF6
                                                                                                              • The required library %s does not support single-file apps., xrefs: 006DED64
                                                                                                              • Bundle Header Offset: [%lld], xrefs: 006DEE52
                                                                                                              • The library %s was found, but loading it from %s failed, xrefs: 006DECDB
                                                                                                              • hostfxr.dll, xrefs: 006DECD6
                                                                                                              • hostfxr_main_startupinfo, xrefs: 006DEEB4, 006DEED3
                                                                                                              • A fatal error was encountered. This executable was not bound to load a managed DLL., xrefs: 006DE9B9
                                                                                                              • - Installing .NET prerequisites might help resolve this problem., xrefs: 006DECE8
                                                                                                              • Invoking fx resolver [%s] hostfxr_main_startupinfo, xrefs: 006DEFDE
                                                                                                              • Invoking fx resolver [%s] hostfxr_main_bundle_startupinfo, xrefs: 006DEDFE
                                                                                                              • The application to execute does not exist: '%s'., xrefs: 006DEBC5
                                                                                                              • Host path: [%s], xrefs: 006DEE14, 006DEFF4
                                                                                                              • hostfxr_main, xrefs: 006DEF28, 006DEF3F
                                                                                                              • App path: [%s], xrefs: 006DEE46, 006DF026
                                                                                                              • Dotnet path: [%s], xrefs: 006DEE30, 006DF010
                                                                                                              • Invoking fx resolver [%s] v1, xrefs: 006DEF16
                                                                                                              • Detected Single-File app bundle, xrefs: 006DEB48
                                                                                                              • The required library %s does not contain the expected entry point., xrefs: 006DEF5A
                                                                                                              • Failed to resolve full path of the current executable [%s], xrefs: 006DF2C9
                                                                                                              • hostfxr_main_bundle_startupinfo, xrefs: 006DED2E, 006DED49
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _invalid_parameter_noinfo_noreturn$ByteCharFileMultiWide$AttributesModuleName
                                                                                                              • String ID: %s$ - Installing .NET prerequisites might help resolve this problem.$A fatal error was encountered. This executable was not bound to load a managed DLL.$App path: [%s]$Bundle Header Offset: [%lld]$Detected Single-File app bundle$Dotnet path: [%s]$Failed to resolve full path of the current executable [%s]$Host path: [%s]$Invoking fx resolver [%s] hostfxr_main_bundle_startupinfo$Invoking fx resolver [%s] hostfxr_main_startupinfo$Invoking fx resolver [%s] v1$Probed for and did not resolve library symbol %S$The application to execute does not exist: '%s'.$The library %s was found, but loading it from %s failed$The required library %s does not contain the expected entry point.$The required library %s does not support relative app dll paths.$The required library %s does not support single-file apps.$hostfxr.dll$hostfxr_main$hostfxr_main_bundle_startupinfo$hostfxr_main_startupinfo$https://go.microsoft.com/fwlink/?linkid=798306
                                                                                                              • API String ID: 2393550857-2715600819
                                                                                                              • Opcode ID: 4610ff1ebb9bf8cd355a9d6d612c4749700d0b16983983d7144691d7f71d186b
                                                                                                              • Instruction ID: 5e50f02fe9ad1228569e97a8ecaf3ee07e46855efd9a2a83f6ff2226f4762a3c
                                                                                                              • Opcode Fuzzy Hash: 4610ff1ebb9bf8cd355a9d6d612c4749700d0b16983983d7144691d7f71d186b
                                                                                                              • Instruction Fuzzy Hash: 67528B31D00259CBDF10DFA4CC95BEDB7B2BF54304F2081AAE459AB291EB70AA85CF51
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D28B0 Relevance: 39.2, APIs: 5, Strings: 17, Instructions: 705windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 006DCA70: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 006DCA94
                                                                                                                • Part of subcall function 006DCA70: GetLastError.KERNEL32(?,00000000,00000000), ref: 006DCAA0
                                                                                                                • Part of subcall function 006DCA70: GetLastError.KERNEL32(?,00000000,00000000), ref: 006DCAAD
                                                                                                              • _wtoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?,E1E504E9), ref: 006D294C
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,Bundle header version compatibility check failed.,00000031), ref: 006D2A76
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006D2B61
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,E1E504E9), ref: 006D2F81
                                                                                                              • MessageBoxW.USER32(00000000,?,?,00000014), ref: 006D3349
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$EnvironmentMessageVariable_wtoi
                                                                                                              • String ID: https://aka.ms/dotnet/app-launch-failedWould you like to download it now?$ _ $ was not found.$&apphost_version=$&gui=true$7.0.2$Bundle header version compatibility check failed.$DOTNET_DISABLE_GUI_ERRORS$Framework: '$Learn about $Showing error dialog for application: '%s' - error code: 0x%x - url: '%s' - dialog message: %s$T[m$The framework '$You must install or update .NET to run this application.$framework resolution:$open$runtime installation:
                                                                                                              • API String ID: 4017193638-783867641
                                                                                                              • Opcode ID: 0bca69f4156bb5dba0005f7c1e7eebed32c1998f6c6dd672899c3d755a60310b
                                                                                                              • Instruction ID: db08ab530b67fee6387102bae52aadd1b2662d42e3ea97c350d6bea30b5f7bda
                                                                                                              • Opcode Fuzzy Hash: 0bca69f4156bb5dba0005f7c1e7eebed32c1998f6c6dd672899c3d755a60310b
                                                                                                              • Instruction Fuzzy Hash: 6C627D30D10269CBEB24CB24CD95BEDB7B2AF55304F1082DAE549A7392EB746AC4CF51
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DBDF0 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 441COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 006DCA70: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 006DCA94
                                                                                                                • Part of subcall function 006DCA70: GetLastError.KERNEL32(?,00000000,00000000), ref: 006DCAA0
                                                                                                                • Part of subcall function 006DCA70: GetLastError.KERNEL32(?,00000000,00000000), ref: 006DCAAD
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00000000,\Setup\InstalledVersions\,00000019,SOFTWARE\dotnet,0000000F,E1E504E9,?,?), ref: 006DC361
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00000000,\Setup\InstalledVersions\,00000019,SOFTWARE\dotnet,0000000F,E1E504E9,?,?), ref: 006DC3DC
                                                                                                              Strings
                                                                                                              • \Setup\InstalledVersions\, xrefs: 006DC1C4
                                                                                                              • _DOTNET_TEST_GLOBALLY_REGISTERED_PATH, xrefs: 006DC699
                                                                                                              • _DOTNET_TEST_REGISTRY_PATH, xrefs: 006DBEB1
                                                                                                              • SOFTWARE\dotnet, xrefs: 006DBE59
                                                                                                              • HKEY_CURRENT_USER\, xrefs: 006DBECF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$EnvironmentVariable
                                                                                                              • String ID: HKEY_CURRENT_USER\$SOFTWARE\dotnet$\Setup\InstalledVersions\$_DOTNET_TEST_GLOBALLY_REGISTERED_PATH$_DOTNET_TEST_REGISTRY_PATH
                                                                                                              • API String ID: 1857851154-750039677
                                                                                                              • Opcode ID: f5169cecfd98d1220f3505edb8ca8c51ac140366357b05b387b1f4bf2aef109c
                                                                                                              • Instruction ID: bce15b832a53405b2babf070f7d78fb5930fae7b0c703dafe8deaff92da2184c
                                                                                                              • Opcode Fuzzy Hash: f5169cecfd98d1220f3505edb8ca8c51ac140366357b05b387b1f4bf2aef109c
                                                                                                              • Instruction Fuzzy Hash: 5302BD31D10259CFDB14CF68DC85BEDB7B2AF85314F20829EE415A7391DB70AA85CB60
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DD060 Relevance: 6.3, APIs: 4, Instructions: 334fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,E1E504E9,?,00000007), ref: 006DD1E0
                                                                                                              • FindNextFileW.KERNEL32(00000000,00000010,?,?,?,E1E504E9,?,00000007), ref: 006DD421
                                                                                                              • FindClose.KERNEL32(?,?,?,?,E1E504E9,?,00000007), ref: 006DD43C
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,E1E504E9,?,00000007), ref: 006DD4B8
                                                                                                                • Part of subcall function 006D1490: ___std_exception_copy.LIBVCRUNTIME ref: 006D14BE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$File$CloseFirstNext___std_exception_copy_invalid_parameter_noinfo_noreturn
                                                                                                              • String ID:
                                                                                                              • API String ID: 1375165025-0
                                                                                                              • Opcode ID: d085aa438e1202c418b6ee330705d4cf0bf33354306995109ffa87aa1a1df18d
                                                                                                              • Instruction ID: 7a9dfa99f22ca3eeb78339788b61c1a6a1734834f30d3019a74861b86538df71
                                                                                                              • Opcode Fuzzy Hash: d085aa438e1202c418b6ee330705d4cf0bf33354306995109ffa87aa1a1df18d
                                                                                                              • Instruction Fuzzy Hash: C4D1C531D012088BDB24EF64CC99BEEB7B6EF45314F20429AE415A7390DB70AE85CB95
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006E0937 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006E0943
                                                                                                              • IsDebuggerPresent.KERNEL32 ref: 006E0A0F
                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006E0A2F
                                                                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 006E0A39
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                              • String ID:
                                                                                                              • API String ID: 254469556-0
                                                                                                              • Opcode ID: 854922b3e6eb3201f4fb4922b6b5390a20188f239d572c7a293b4909dfcea964
                                                                                                              • Instruction ID: 070f65ed18d6cafa0b399128610d507e5ca4c57b17a7fb585c7965600056c38f
                                                                                                              • Opcode Fuzzy Hash: 854922b3e6eb3201f4fb4922b6b5390a20188f239d572c7a293b4909dfcea964
                                                                                                              • Instruction Fuzzy Hash: A4313A75D0635CDBDB50DFA5D9897CDBBB9BF08304F1040AAE40DAB250EB715A848F45
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DD4F0 Relevance: 1.8, APIs: 1, Instructions: 303COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00000008,00000000), ref: 006DD63B
                                                                                                                • Part of subcall function 006D1490: ___std_exception_copy.LIBVCRUNTIME ref: 006D14BE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___std_exception_copy_invalid_parameter_noinfo_noreturn
                                                                                                              • String ID:
                                                                                                              • API String ID: 3819911158-0
                                                                                                              • Opcode ID: 3586dc243d89d5544dd812c4367fe4cc31c072efaac0240c87d490fb1051b022
                                                                                                              • Instruction ID: 18666085148a8d6b5ad864e8e428644205415ac0b35f0a25b8c183635762495c
                                                                                                              • Opcode Fuzzy Hash: 3586dc243d89d5544dd812c4367fe4cc31c072efaac0240c87d490fb1051b022
                                                                                                              • Instruction Fuzzy Hash: FF91D371F012189BCB28DF6CD8805AEB7E6FF88314B24466FE91ADB741E671D9148790
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006E0620 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006E0636
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FeaturePresentProcessor
                                                                                                              • String ID:
                                                                                                              • API String ID: 2325560087-0
                                                                                                              • Opcode ID: 50f266ab47bb525db0d707dd433e556f9a5b221fb29b5be843dba7bed0531f41
                                                                                                              • Instruction ID: 615f4e1ad4c6f9237196df6a719b3c87ecc77dc29ca1ef2a92e811e92499b9a8
                                                                                                              • Opcode Fuzzy Hash: 50f266ab47bb525db0d707dd433e556f9a5b221fb29b5be843dba7bed0531f41
                                                                                                              • Instruction Fuzzy Hash: 2C514B719023858BEB24CF5AD8C57AAB7F2FB88314F24902AD405EB351D7B4AE81CF50
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D8AC0 Relevance: 1.6, Strings: 1, Instructions: 364COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 9{M=
                                                                                                              • API String ID: 0-3917255391
                                                                                                              • Opcode ID: f2333ff33bb0851a9b5b409057b533b25faad3ce4935ca472aeafe83e83af7c0
                                                                                                              • Instruction ID: ab1178dd79bed8f37b53bb81b358b0229c0fe5efea6b66b60458ee65ad158748
                                                                                                              • Opcode Fuzzy Hash: f2333ff33bb0851a9b5b409057b533b25faad3ce4935ca472aeafe83e83af7c0
                                                                                                              • Instruction Fuzzy Hash: D2B1BB32C066959FD7168B3888997E2BBE3EF573603A4059BD4D14B796CB604883CBC9
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006E0A99 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00010AB0,006E03F5), ref: 006E0A9E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                              • String ID:
                                                                                                              • API String ID: 3192549508-0
                                                                                                              • Opcode ID: bee9b58566e8d5172568eed064e42c9214a0be08643b35aa78e011309c9c5245
                                                                                                              • Instruction ID: 4cf70d97828d2fe1d429462be6893ac8c4b0295e34558ea091ba41d707034726
                                                                                                              • Opcode Fuzzy Hash: bee9b58566e8d5172568eed064e42c9214a0be08643b35aa78e011309c9c5245
                                                                                                              • Instruction Fuzzy Hash:
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D85D0 Relevance: .3, Instructions: 266COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7ede80693f8d441d9074d83d885c3b89783c40a96f5e451abede4d619b14707b
                                                                                                              • Instruction ID: f5f02a59596d414520bcdd898e898f28c06416d56befa0d9472c6ed8fb06e998
                                                                                                              • Opcode Fuzzy Hash: 7ede80693f8d441d9074d83d885c3b89783c40a96f5e451abede4d619b14707b
                                                                                                              • Instruction Fuzzy Hash: AE91CE329042919FDB168F388C996E6FBA2FF8B3603A4459EC0D18FB56D7205853C788
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DAB19 Relevance: .0, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c99a479058c070eb2fc54f99013099ebdda857195a2ba3993201935e4c99ddf9
                                                                                                              • Instruction ID: 029bee33414c73069cdcfb46e4e72cb9f1555cc621b6e627f7abdfc772d88e6d
                                                                                                              • Opcode Fuzzy Hash: c99a479058c070eb2fc54f99013099ebdda857195a2ba3993201935e4c99ddf9
                                                                                                              • Instruction Fuzzy Hash: F201A7366052698BCB20CF85D890AB6B3F3FF94752B48406BF9858B340DB34DC42D791
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D50E3 Relevance: .0, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                                                                                                              • Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
                                                                                                              • Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                                                                                                              • Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DC740 Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 316registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 006DC81D
                                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020219,?,?,?,E1E504E9,?,?), ref: 006DC84E
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006DCA35
                                                                                                              Strings
                                                                                                              • The registry key ['%s'] does not exist., xrefs: 006DC864, 006DC86E
                                                                                                              • Looking for architecture-specific registry value in '%s'., xrefs: 006DC7E4
                                                                                                              • Failed to get the value of the install location registry value. Error code: 0x%X, xrefs: 006DC958
                                                                                                              • Found registered install location '%s'., xrefs: 006DC9AE
                                                                                                              • Failed to open the registry key. Error code: 0x%X, xrefs: 006DC87C, 006DC882
                                                                                                              • Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 006DCAC1
                                                                                                              • Failed to get the size of the install location registry value or it's empty. Error code: 0x%X, xrefs: 006DC9EF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _invalid_parameter_noinfo_noreturn$Open
                                                                                                              • String ID: Failed to get the size of the install location registry value or it's empty. Error code: 0x%X$Failed to get the value of the install location registry value. Error code: 0x%X$Failed to open the registry key. Error code: 0x%X$Failed to read environment variable [%s], HRESULT: 0x%X$Found registered install location '%s'.$Looking for architecture-specific registry value in '%s'.$The registry key ['%s'] does not exist.
                                                                                                              • API String ID: 1987152144-1831965068
                                                                                                              • Opcode ID: 2134b28c4e1a9c0edaa36f8b051153230cbdf7b657170fabefe05d0780ae0098
                                                                                                              • Instruction ID: b78045af9199732b472534eb816556ba584b3a110aaff02ee78bc3ebaca97cfc
                                                                                                              • Opcode Fuzzy Hash: 2134b28c4e1a9c0edaa36f8b051153230cbdf7b657170fabefe05d0780ae0098
                                                                                                              • Instruction Fuzzy Hash: ACB1E271D012499BDB10DFA8DC85BAEB7BBEF44314F14422AF801EB391E7709945CBA5
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DDEB0 Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 382COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 006DC630: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(E1E504E9), ref: 006DC702
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,00000000,?), ref: 006DE2AA
                                                                                                                • Part of subcall function 006DBCB0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006DBDBB
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,?), ref: 006DE3D7
                                                                                                              Strings
                                                                                                              • Resolved fxr [%s]..., xrefs: 006DDFCC
                                                                                                              • A fatal error occurred, the default install location cannot be obtained., xrefs: 006DE080
                                                                                                              • fxr, xrefs: 006DE0EC
                                                                                                              • 7.0.2, xrefs: 006DE250, 006DE25A
                                                                                                              • Using environment variable %s=[%s] as runtime location., xrefs: 006DE059
                                                                                                              • host, xrefs: 006DE0D8
                                                                                                              • hostfxr.dll, xrefs: 006DDF1B, 006DE1F4
                                                                                                              • You must install .NET to run this application.App: %sArchitecture: %sApp host version: %s.NET location: Not foundLearn abou, xrefs: 006DE266
                                                                                                              • Using global installation location [%s] as runtime location., xrefs: 006DE0A5
                                                                                                              • The required library %s could not be found. Searched with root path [%s], environment variable [%s], default install location [%s], xrefs: 006DE1F9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                              • String ID: 7.0.2$A fatal error occurred, the default install location cannot be obtained.$Resolved fxr [%s]...$The required library %s could not be found. Searched with root path [%s], environment variable [%s], default install location [%s]$Using environment variable %s=[%s] as runtime location.$Using global installation location [%s] as runtime location.$You must install .NET to run this application.App: %sArchitecture: %sApp host version: %s.NET location: Not foundLearn abou$fxr$host$hostfxr.dll
                                                                                                              • API String ID: 3668304517-3859945431
                                                                                                              • Opcode ID: 3965c3ed2649fdb805fee515d4045abae700ec0a9923a2f4a61c32e2de2145bf
                                                                                                              • Instruction ID: 7b1dbf8231e4b7942eb6dbfc906b0a3769bb13af97d01cc20a78b2e1152f8847
                                                                                                              • Opcode Fuzzy Hash: 3965c3ed2649fdb805fee515d4045abae700ec0a9923a2f4a61c32e2de2145bf
                                                                                                              • Instruction Fuzzy Hash: 8AF1A130D10248CBDF14DFA4DC95BEDB7B2AF55304F10829EE405AB391EB716A85CB65
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DE500 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 339COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,CheckIP.dll,CheckIP.dll,00000000,00000000,E1E504E9,?,?,?,?,?,?,?,?,00000000), ref: 006DE575
                                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,CheckIP.dll,CheckIP.dll,?,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 006DE5C6
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(CheckIP.dll), ref: 006DE79A
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,E1E504E9), ref: 006DE892
                                                                                                              Strings
                                                                                                              • The managed DLL bound to this executable could not be retrieved from the executable image., xrefs: 006DE7AF
                                                                                                              • 7.0.2, xrefs: 006DE846, 006DE84D
                                                                                                              • The managed DLL bound to this executable is: '%s', xrefs: 006DE761
                                                                                                              • CheckIP.dll, xrefs: 006DE540, 006DE566, 006DE567, 006DE5B9, 006DE5BA, 006DE5D4, 006DE5FA, 006DE5FB
                                                                                                              • c3ab8ff13720e8ad9047dd39466b3c89, xrefs: 006DE63C
                                                                                                              • You must install or update .NET to run this application.App: %sArchitecture: %sApp host version: %s.NET location: %sLearn a, xrefs: 006DE859
                                                                                                              • This executable is not bound to a managed DLL to execute. The binding value is: '%s', xrefs: 006DE748
                                                                                                              • 74e592c2fa383d4a3960714caef0c4f2, xrefs: 006DE6DA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide_invalid_parameter_noinfo_noreturn
                                                                                                              • String ID: 7.0.2$74e592c2fa383d4a3960714caef0c4f2$CheckIP.dll$The managed DLL bound to this executable could not be retrieved from the executable image.$The managed DLL bound to this executable is: '%s'$This executable is not bound to a managed DLL to execute. The binding value is: '%s'$You must install or update .NET to run this application.App: %sArchitecture: %sApp host version: %s.NET location: %sLearn a$c3ab8ff13720e8ad9047dd39466b3c89
                                                                                                              • API String ID: 3834199983-11481455
                                                                                                              • Opcode ID: bb54fafb7390bf241275d0ec938c70557a84aee9ace404d1d530fcf96de859aa
                                                                                                              • Instruction ID: b1731959ad9b25fddee6b8d5fda2dea763173252ca5fb79502384653b341aa22
                                                                                                              • Opcode Fuzzy Hash: bb54fafb7390bf241275d0ec938c70557a84aee9ace404d1d530fcf96de859aa
                                                                                                              • Instruction Fuzzy Hash: A4B10531E002809FDB28AF28CC94BBEBBB3AB45314F14466EE4569F391D732A945C761
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DF340 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnterCriticalSection.KERNEL32(006EDE44), ref: 006DF3D1
                                                                                                              • fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 006DF3DD
                                                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 006DF3E8
                                                                                                              • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 006DF3F2
                                                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 006DF3FD
                                                                                                              • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 006DF407
                                                                                                              • LeaveCriticalSection.KERNEL32(006EDE44), ref: 006DF415
                                                                                                              Strings
                                                                                                              • Redirecting errors to custom writer., xrefs: 006DF3A2
                                                                                                              • 7.0.2, xrefs: 006DF363
                                                                                                              • apphost, xrefs: 006DF368
                                                                                                              • d037e070ebe5c83838443f869d5800752b0fcb13, xrefs: 006DF35E
                                                                                                              • --- Invoked %s [version: %s, commit hash: %s] main = {, xrefs: 006DF36D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: fflush$CriticalSection__acrt_iob_func$EnterLeave
                                                                                                              • String ID: --- Invoked %s [version: %s, commit hash: %s] main = {$7.0.2$Redirecting errors to custom writer.$apphost$d037e070ebe5c83838443f869d5800752b0fcb13
                                                                                                              • API String ID: 2658921962-160682431
                                                                                                              • Opcode ID: 3f82da0c49cfa1e42a59e43b0dd48bd25a0d151277d328841aed5cca77f68dad
                                                                                                              • Instruction ID: c0abf8a354c5680915675d6cecf42c0036b6c784524861e7756de9f239489648
                                                                                                              • Opcode Fuzzy Hash: 3f82da0c49cfa1e42a59e43b0dd48bd25a0d151277d328841aed5cca77f68dad
                                                                                                              • Instruction Fuzzy Hash: 7A11ECB1E407806FD7007769AC4FA4976579F4071DF060135F90B9E3D2DAB25A1485EB
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006E2008 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 303COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • type_info::operator==.LIBVCRUNTIME ref: 006E2127
                                                                                                              • ___TypeMatch.LIBVCRUNTIME ref: 006E2235
                                                                                                              • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006E2346
                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 006E2387
                                                                                                              • CallUnexpected.LIBVCRUNTIME ref: 006E23A2
                                                                                                              • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 006E23A7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwindabortterminatetype_info::operator==
                                                                                                              • String ID: Dcn$csm$csm$csm
                                                                                                              • API String ID: 3594080642-2300697852
                                                                                                              • Opcode ID: 971394e4ece48eb3983de69def35603f7507e8b5cbcb1dd1768320803b6bfc56
                                                                                                              • Instruction ID: 7dda1ba0419d4937fa8c47ec1dbfbbc2ce0a7cb024161162bd4e4c5a1029ebdd
                                                                                                              • Opcode Fuzzy Hash: 971394e4ece48eb3983de69def35603f7507e8b5cbcb1dd1768320803b6bfc56
                                                                                                              • Instruction Fuzzy Hash: A2B19A7180238ADFCF25DFA6C8919EEB7BBBF04310B14415AE9106B212D335EA51CF95
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D2340 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 147registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegisterEventSourceW.ADVAPI32(00000000,.NET Runtime), ref: 006D238A
                                                                                                              • ReportEventW.ADVAPI32(?,00000001,00000000,000003FF,00000000,00000001,00000000,00000028,00000000), ref: 006D249E
                                                                                                              • DeregisterEventSource.ADVAPI32(?), ref: 006D24A5
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,Application: ,0000000D,Description: A .NET application failed.,00000028), ref: 006D24D7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Event$Source$DeregisterRegisterReport_invalid_parameter_noinfo_noreturn
                                                                                                              • String ID: .NET Runtime$Application: $Description: A .NET application failed.$Message: $Path:
                                                                                                              • API String ID: 3261796893-2224758532
                                                                                                              • Opcode ID: 747e75385a1135e426d0dae6049d5a53081e8ba4bd211f90450140f204d50554
                                                                                                              • Instruction ID: 4277f2440e687594ebe077954808a506a2c637d998e540dd3a7834f206dc319d
                                                                                                              • Opcode Fuzzy Hash: 747e75385a1135e426d0dae6049d5a53081e8ba4bd211f90450140f204d50554
                                                                                                              • Instruction Fuzzy Hash: F3518231E54344ABDB14DB65EC96BAEB7B7EB54700F10411AF911AB3C0DB70A9448B94
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DBAE0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 146libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00001100,?,E1E504E9,?), ref: 006DBB5C
                                                                                                              • GetLastError.KERNEL32 ref: 006DBB68
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006DBC7D
                                                                                                                • Part of subcall function 006DCB60: GetFileAttributesExW.KERNEL32(?,00000000,?,E1E504E9), ref: 006DCBD2
                                                                                                              • GetModuleHandleExW.KERNEL32(00000001,?,?), ref: 006DBB93
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006DBC3D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _invalid_parameter_noinfo_noreturn$AttributesErrorFileHandleLastLibraryLoadModule
                                                                                                              • String ID: Failed to load the dll from [%s], HRESULT: 0x%X$Failed to pin library [%s] in [%s]$Loaded library from %s$pal::load_library
                                                                                                              • API String ID: 1159982014-4234151505
                                                                                                              • Opcode ID: 41ab241a5728cff44bc3f7419cf7953365d4656633d6fb321e3d95045b995126
                                                                                                              • Instruction ID: e061f21dfe9ee1bd923652dae12f588b042c24927010b3f7de62386cc1ffafe9
                                                                                                              • Opcode Fuzzy Hash: 41ab241a5728cff44bc3f7419cf7953365d4656633d6fb321e3d95045b995126
                                                                                                              • Instruction Fuzzy Hash: 0351B131D10248CFDB14DFA8DC95BEDB7B6EB58304F10822AE411A7395EB74AA45C7A1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DD920 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 396COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 006DD060: FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,E1E504E9,?,00000007), ref: 006DD1E0
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,hostfxr.dll,0000000B,?,?,?,00000001,?,00000007), ref: 006DDE7A
                                                                                                              Strings
                                                                                                              • Resolved fxr [%s]..., xrefs: 006DDDB6
                                                                                                              • A fatal error occurred, the folder [%s] does not contain any version-numbered child folders, xrefs: 006DDC3E
                                                                                                              • Reading fx resolver directory=[%s], xrefs: 006DD97A
                                                                                                              • Considering fxr version=[%s]..., xrefs: 006DDA4D
                                                                                                              • hostfxr.dll, xrefs: 006DDD3F, 006DDDD8
                                                                                                              • A fatal error occurred, the required library %s could not be found in [%s], xrefs: 006DDDDD
                                                                                                              • Detected latest fxr version=[%s]..., xrefs: 006DDD18
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFindFirst_invalid_parameter_noinfo_noreturn
                                                                                                              • String ID: A fatal error occurred, the folder [%s] does not contain any version-numbered child folders$A fatal error occurred, the required library %s could not be found in [%s]$Considering fxr version=[%s]...$Detected latest fxr version=[%s]...$Reading fx resolver directory=[%s]$Resolved fxr [%s]...$hostfxr.dll
                                                                                                              • API String ID: 3588950029-3818166005
                                                                                                              • Opcode ID: 0e2a540c7e12111fb55643cfd7011a9b6c7f88d1689969a368e6f1d4da12cd90
                                                                                                              • Instruction ID: 43494ab946bc837289ebc0f602f2ff682800f3fd0247b4c3259a4791c9353d85
                                                                                                              • Opcode Fuzzy Hash: 0e2a540c7e12111fb55643cfd7011a9b6c7f88d1689969a368e6f1d4da12cd90
                                                                                                              • Instruction Fuzzy Hash: 58F1B170D00248DBDF14DF64DC95BEDB776AF54304F14829EE409AB382DB34AA89CBA5
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DB4E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 171COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?), ref: 006DB596
                                                                                                              • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000001), ref: 006DB5F9
                                                                                                              • Concurrency::cancel_current_task.LIBCPMT ref: 006DB6D4
                                                                                                              • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000), ref: 006DB6EA
                                                                                                              • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 006DB6F3
                                                                                                              • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 006DB6FC
                                                                                                                • Part of subcall function 006E006E: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,006DB545,00000018,E1E504E9,00000000,?), ref: 006E0083
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: free$Concurrency::cancel_current_taskcalloclocaleconvmalloc
                                                                                                              • String ID: false$true
                                                                                                              • API String ID: 832963791-2658103896
                                                                                                              • Opcode ID: 57309d159fcf612c56b0a29dffa1992e16c9dd25e7c7f69620526a180a2f304c
                                                                                                              • Instruction ID: fb5ba43a49cda106d9c205614a0d26c3103260f1983c009ff34fcf065b2e1f15
                                                                                                              • Opcode Fuzzy Hash: 57309d159fcf612c56b0a29dffa1992e16c9dd25e7c7f69620526a180a2f304c
                                                                                                              • Instruction Fuzzy Hash: 246190B1D00348DBDB10DFA4DC45BDEB7B9FF04704F14426AE905AB251E7B1AA48CB95
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DCB60 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 299COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesExW.KERNEL32(?,00000000,?,E1E504E9), ref: 006DCBD2
                                                                                                              • GetFullPathNameW.KERNEL32(?,00000104,?,00000000,E1E504E9), ref: 006DCBF9
                                                                                                              • GetFullPathNameW.KERNEL32(?,00000000,?,00000000,00000008,00000000), ref: 006DCCF9
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,\\?\,?), ref: 006DCD6D
                                                                                                              • GetFileAttributesExW.KERNEL32(?,00000000,?,?,00000000,?,\\?\,?), ref: 006DCF70
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFileFullNamePath$_invalid_parameter_noinfo_noreturn
                                                                                                              • String ID: Error resolving full path [%s]$\\?\
                                                                                                              • API String ID: 3575543699-155424227
                                                                                                              • Opcode ID: 8f32687cbeed029e13842b5709c863b1fe1fc9d75c37d5d216b7fa959c987703
                                                                                                              • Instruction ID: 60dd18f5f05f68eaee59c2e764ce43ad5133443ba83ce84dbdc5818c7fd9fbd8
                                                                                                              • Opcode Fuzzy Hash: 8f32687cbeed029e13842b5709c863b1fe1fc9d75c37d5d216b7fa959c987703
                                                                                                              • Instruction Fuzzy Hash: FAC17171E112199BCB64DF64DC99BE9B7B6AF48310F1002DAE40AAB350DB34AF85CF54
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DBCB0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(?), ref: 006DBD4E
                                                                                                              • IsWow64Process.KERNEL32(00000000), ref: 006DBD55
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006DBDBB
                                                                                                                • Part of subcall function 006DCA70: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 006DCA94
                                                                                                                • Part of subcall function 006DCA70: GetLastError.KERNEL32(?,00000000,00000000), ref: 006DCAA0
                                                                                                                • Part of subcall function 006DCA70: GetLastError.KERNEL32(?,00000000,00000000), ref: 006DCAAD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastProcess$CurrentEnvironmentVariableWow64_invalid_parameter_noinfo_noreturn
                                                                                                              • String ID: ProgramFiles$ProgramFiles(x86)$_DOTNET_TEST_DEFAULT_INSTALL_PATH$dotnet
                                                                                                              • API String ID: 4176612971-1903759158
                                                                                                              • Opcode ID: 7be9e215abeed68a81f28e858cbcb23eb0215a9bf3098225c39e8493bc2d69f2
                                                                                                              • Instruction ID: 8a3a61184508547ca457f39436292c0b748f6fb629b396808cfe0da315530ac7
                                                                                                              • Opcode Fuzzy Hash: 7be9e215abeed68a81f28e858cbcb23eb0215a9bf3098225c39e8493bc2d69f2
                                                                                                              • Instruction Fuzzy Hash: 8C31E771D04288DBCF14DFA8D8857EEBBB7EF48314F14911AE81167385DB349944CBA5
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DB250 Relevance: 12.2, APIs: 8, Instructions: 243COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 006DB27D
                                                                                                                • Part of subcall function 006DF5F9: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,006D1B30,00000000,E1E504E9,?,?,?,006E333F,000000FF), ref: 006DF608
                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 006DB2A0
                                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 006DB2C0
                                                                                                              • std::_Facet_Register.LIBCPMT ref: 006DB331
                                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 006DB353
                                                                                                              • Concurrency::cancel_current_task.LIBCPMT ref: 006DB36C
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00000000), ref: 006DB4A3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register_invalid_parameter_noinfo_noreturn_lock_locales
                                                                                                              • String ID:
                                                                                                              • API String ID: 4082917780-0
                                                                                                              • Opcode ID: 7a7b820d5a64c1c224371f1e1d3f89304c6aae95a0565efb67fcf8e63de2fc06
                                                                                                              • Instruction ID: d3bdf3c071ccd742148af8957d1dec4d1d9747c59f6955f68229aaca7595d51f
                                                                                                              • Opcode Fuzzy Hash: 7a7b820d5a64c1c224371f1e1d3f89304c6aae95a0565efb67fcf8e63de2fc06
                                                                                                              • Instruction Fuzzy Hash: 7D81E472D00259DFCB15DF68D880AAEB7B6FF44310F1602AAE815AB356D770AE01CBD5
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D1BB0 Relevance: 12.1, APIs: 8, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 006D1BD6
                                                                                                                • Part of subcall function 006DFB1F: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000,?,?,006D1BDB,?,E1E504E9,?,00000000,006E3360,000000FF,?,bad locale name,00000000,E1E504E9), ref: 006DFB30
                                                                                                              • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 006D1BE6
                                                                                                              • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 006D1BFE
                                                                                                              • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 006D1C16
                                                                                                              • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 006D1C2E
                                                                                                              • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 006D1C46
                                                                                                              • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000006), ref: 006D1C5E
                                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 006D1C70
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: free$std::_$Locinfo::_Locinfo_dtorLockitLockit::~_setlocale
                                                                                                              • String ID:
                                                                                                              • API String ID: 1033100201-0
                                                                                                              • Opcode ID: 397e7663c72c279f7b48f01c7e7845bbe145a94f8d3789d29d0ac7be62cf1add
                                                                                                              • Instruction ID: 8b641ae0ba0f684612495650c909c45dedd4d1e76dcb02c8261ab5e1eb943f39
                                                                                                              • Opcode Fuzzy Hash: 397e7663c72c279f7b48f01c7e7845bbe145a94f8d3789d29d0ac7be62cf1add
                                                                                                              • Instruction Fuzzy Hash: A7213EB0A04B409BD720CF29D949B5777E9EF05704F044929E84BCB740E779E518CBA5
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006E0330 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001), ref: 006E0333
                                                                                                              • _set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 006E033E
                                                                                                              • __p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 006E034A
                                                                                                              • __RTC_Initialize.LIBCMT ref: 006E0362
                                                                                                              • _configure_wide_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,006E0C90), ref: 006E0377
                                                                                                                • Part of subcall function 006E0BF3: InitializeSListHead.KERNEL32(006EDD70,006E0387), ref: 006E0BF8
                                                                                                              • __setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_00003EE0), ref: 006E0395
                                                                                                              • _configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 006E03B0
                                                                                                              • _initialize_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006E03BF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Initialize$HeadList__p__commode__setusermatherr_configthreadlocale_configure_wide_argv_initialize_wide_environment_set_app_type_set_fmode
                                                                                                              • String ID:
                                                                                                              • API String ID: 1947472503-0
                                                                                                              • Opcode ID: a9a5ad65ddeee8aae7fe4688af5fe333151a4668a01698960743a87c5da99922
                                                                                                              • Instruction ID: 9bd362c1e7b305adbd79699e3b3f710be062f92ef312612bcad4aa633bfaa6e7
                                                                                                              • Opcode Fuzzy Hash: a9a5ad65ddeee8aae7fe4688af5fe333151a4668a01698960743a87c5da99922
                                                                                                              • Instruction Fuzzy Hash: D5014B649033E256F9E033F3190BA9E024B1E50B94F20085EB844BB387DEE68AC1407F
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006E1C9A Relevance: 12.1, APIs: 8, Instructions: 60COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(?,?,006E1C91,006E122C,006E0AF4), ref: 006E1CA8
                                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006E1CB6
                                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006E1CCF
                                                                                                              • SetLastError.KERNEL32(00000000,006E1C91,006E122C,006E0AF4), ref: 006E1D21
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                                              • String ID:
                                                                                                              • API String ID: 3852720340-0
                                                                                                              • Opcode ID: 760f3fb396c3866752b8ae666d07b2aaef79b9d2db263b3842e0fd87ce5a6c91
                                                                                                              • Instruction ID: b20ea0d63929a9fb0de90254627b8811a68d1a2cd36fcb8e0f62fe2f77132f35
                                                                                                              • Opcode Fuzzy Hash: 760f3fb396c3866752b8ae666d07b2aaef79b9d2db263b3842e0fd87ce5a6c91
                                                                                                              • Instruction Fuzzy Hash: 2D01B53220A3A65EE7642B767C85A5F279BEF53775730022DF1209E2E1EF254D03A184
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006E1AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 006E1B07
                                                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 006E1B0F
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 006E1B98
                                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 006E1BC3
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 006E1C18
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 1170836740-1018135373
                                                                                                              • Opcode ID: 89dba60d0b7995b2ccac1687b93c7c8206874279ab5b31bf3741c96d6bc3f5d5
                                                                                                              • Instruction ID: 9a509c268ab4b0f99fead101252870c8f51d8d00823afd7bff324eea87cd9daa
                                                                                                              • Opcode Fuzzy Hash: 89dba60d0b7995b2ccac1687b93c7c8206874279ab5b31bf3741c96d6bc3f5d5
                                                                                                              • Instruction Fuzzy Hash: C741E730E023899BCF10DF6AC894AEE7BB7AF06354F148159E8155F392E771DA05DB90
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DCA70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 006DCA94
                                                                                                              • GetLastError.KERNEL32(?,00000000,00000000), ref: 006DCAA0
                                                                                                              • GetLastError.KERNEL32(?,00000000,00000000), ref: 006DCAAD
                                                                                                              • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 006DCAF5
                                                                                                              • GetLastError.KERNEL32(?,00000000,00000000), ref: 006DCAFF
                                                                                                              Strings
                                                                                                              • Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 006DCAC1, 006DCB13
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$EnvironmentVariable
                                                                                                              • String ID: Failed to read environment variable [%s], HRESULT: 0x%X
                                                                                                              • API String ID: 2691138088-3628523914
                                                                                                              • Opcode ID: 33d0b6ea0bd7ceaf3711cf3bcbfb6418d162554739032542bcb2b94bd5f5bfd7
                                                                                                              • Instruction ID: cefbe614be842fbdbffb362109e083f7d5772b24b47b38809cdf6f45133b1685
                                                                                                              • Opcode Fuzzy Hash: 33d0b6ea0bd7ceaf3711cf3bcbfb6418d162554739032542bcb2b94bd5f5bfd7
                                                                                                              • Instruction Fuzzy Hash: A4216B71B0030527E7242B79BC8BBB7739EDB85365B04017FF80ACB310EA559C0581B5
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DE410 Relevance: 10.5, APIs: 7, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnterCriticalSection.KERNEL32(006EDE44), ref: 006DE41C
                                                                                                              • fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 006DE428
                                                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 006DE430
                                                                                                              • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 006DE437
                                                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 006DE43F
                                                                                                              • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 006DE446
                                                                                                              • LeaveCriticalSection.KERNEL32(006EDE44), ref: 006DE454
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: fflush$CriticalSection__acrt_iob_func$EnterLeave
                                                                                                              • String ID:
                                                                                                              • API String ID: 2658921962-0
                                                                                                              • Opcode ID: 407677bc234fecae2d685f36e05be57adc246c5aade1eaa6259b4c416b0867d0
                                                                                                              • Instruction ID: 49021a823da732c4c3c3d861f10881449ca19692b4907ad913f995364a80d73f
                                                                                                              • Opcode Fuzzy Hash: 407677bc234fecae2d685f36e05be57adc246c5aade1eaa6259b4c416b0867d0
                                                                                                              • Instruction Fuzzy Hash: C001DB31200780DFC7106B68EC8DB8ABBAA9F5470AF044065F607CF361CBB29400CBA1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006E2DF7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,006E2DA8,00000000,?,006EDDB0,?,?,?,006E2F4B,00000004,InitializeCriticalSectionEx,006E6E10,InitializeCriticalSectionEx), ref: 006E2E04
                                                                                                              • GetLastError.KERNEL32(?,006E2DA8,00000000,?,006EDDB0,?,?,?,006E2F4B,00000004,InitializeCriticalSectionEx,006E6E10,InitializeCriticalSectionEx,00000000,?,006E2B92), ref: 006E2E0E
                                                                                                              • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,api-ms-,00000007,?,006E2DA8,00000000,?,006EDDB0,?,?,?,006E2F4B,00000004,InitializeCriticalSectionEx,006E6E10,InitializeCriticalSectionEx), ref: 006E2E23
                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 006E2E36
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoad$ErrorLastwcsncmp
                                                                                                              • String ID: api-ms-
                                                                                                              • API String ID: 3100911417-2084034818
                                                                                                              • Opcode ID: e33e27061cc2b1667717f8d25a43fd6f460b16c8a6a3520b4bf43a6d72f905e9
                                                                                                              • Instruction ID: e9e87aaefaffe6f9a9e9591e59db17338c29278b079f7aac493b575ea208ea45
                                                                                                              • Opcode Fuzzy Hash: e33e27061cc2b1667717f8d25a43fd6f460b16c8a6a3520b4bf43a6d72f905e9
                                                                                                              • Instruction Fuzzy Hash: C4E04830680349B7EB201B62EC4AB593B5BBF20B45F544030F90DBC1F5D76199118594
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006E1DB1 Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___AdjustPointer.LIBCMT ref: 006E1E78
                                                                                                              • ___AdjustPointer.LIBCMT ref: 006E1E9B
                                                                                                              • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(006EB268,00000010,006E1F23,?,?,?,?,006EB288,00000008,006E1FA7,?,?,?,00000000), ref: 006E1EE9
                                                                                                              • ___AdjustPointer.LIBCMT ref: 006E1F37
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AdjustPointer$abort
                                                                                                              • String ID:
                                                                                                              • API String ID: 4118245873-0
                                                                                                              • Opcode ID: ff1de38e0d3479da2fc13ce4b0a57cb9ba213462054a6211774fcf54d7c5f286
                                                                                                              • Instruction ID: e35f5ded66099bb7c4c7bdcf4d2e096164a7528195c6d84f2dafe84168d46086
                                                                                                              • Opcode Fuzzy Hash: ff1de38e0d3479da2fc13ce4b0a57cb9ba213462054a6211774fcf54d7c5f286
                                                                                                              • Instruction Fuzzy Hash: 9151C072A023869FDB29CF56D841BBA77A6EF46300F14452DFD024F291E731AD81EB90
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006E23AD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EncodePointer.KERNEL32(00000000,?), ref: 006E23D2
                                                                                                              • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 006E24DD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EncodePointerabort
                                                                                                              • String ID: MOC$RCC
                                                                                                              • API String ID: 1188231555-2084237596
                                                                                                              • Opcode ID: ec9872b9b30d01845649c5f5f9da4712a7f785831bc0c515089e4704efcab03d
                                                                                                              • Instruction ID: 84fe97afc13c8d6fbb2120dc0c9f0246be551677f8022427d2722b77a0e18ffe
                                                                                                              • Opcode Fuzzy Hash: ec9872b9b30d01845649c5f5f9da4712a7f785831bc0c515089e4704efcab03d
                                                                                                              • Instruction Fuzzy Hash: E2416C3190124AEFDF15DF99CD81AEE7BBABF48300F148099F9046B291D33599A0DB60
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D21B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___std_exception_copy.LIBVCRUNTIME ref: 006D223F
                                                                                                                • Part of subcall function 006E12EC: RaiseException.KERNEL32(E06D7363,00000001,00000003,006D140C,?,?,?,?,006D140C,?,006EB3A8), ref: 006E134C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionRaise___std_exception_copy
                                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                              • API String ID: 3109751735-1866435925
                                                                                                              • Opcode ID: cc7e493324e09821c14f7fc7308253874d56d0093a7b6f14b2aa706d45aa8d52
                                                                                                              • Instruction ID: 5744c963fca04566fa733cd676e7d503b599ea385775857caf487d97f1086ee1
                                                                                                              • Opcode Fuzzy Hash: cc7e493324e09821c14f7fc7308253874d56d0093a7b6f14b2aa706d45aa8d52
                                                                                                              • Instruction Fuzzy Hash: 9F1106B1900345ABC310DF69CC02B96B7EAAF55310F14C62BFA55CB781E770AA55CB54
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006E11D1 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006E1221
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: terminate
                                                                                                              • String ID: MOC$RCC$csm
                                                                                                              • API String ID: 1821763600-2671469338
                                                                                                              • Opcode ID: c0772eb6ad4f1d782c23262ffcfadc9ac3f3b41d6ab54c09a00469886180550c
                                                                                                              • Instruction ID: b92667cb2e0f46c3c793a5947a33fa1d86480a1995455502c6e77417a9454764
                                                                                                              • Opcode Fuzzy Hash: c0772eb6ad4f1d782c23262ffcfadc9ac3f3b41d6ab54c09a00469886180550c
                                                                                                              • Instruction Fuzzy Hash: 63F0E235002384CFC3146F5AC4015C9B366FF46711B25015AD520CF222C3BCEA80EBCA
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DFE0C Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000,?,006DB5A8,?), ref: 006DFE22
                                                                                                              • ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000,?,006DB5A8,?), ref: 006DFE29
                                                                                                              • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000,?,006DB5A8,?), ref: 006DFE31
                                                                                                              • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,006DB5A8,?), ref: 006DFE48
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
                                                                                                              • String ID:
                                                                                                              • API String ID: 3203701943-0
                                                                                                              • Opcode ID: c69d3606f7c137579b5cce27356b03c5ddd67cd8b0da7d033abab4573a368a43
                                                                                                              • Instruction ID: 863a9e2402456579e41b498a926167a6f1ed8cb169b2e13631484abe060e2d6d
                                                                                                              • Opcode Fuzzy Hash: c69d3606f7c137579b5cce27356b03c5ddd67cd8b0da7d033abab4573a368a43
                                                                                                              • Instruction Fuzzy Hash: E1F0F4A2B027A626C7046B7B884991BFBD6DF48724701843EE40ACB703E635C94187D0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D22E0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,006E7190,00000001,?,?), ref: 006D231B
                                                                                                              • fputws.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000000), ref: 006D2323
                                                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 006D232B
                                                                                                              • fputwc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 006D2334
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __acrt_iob_func$fputwcfputws
                                                                                                              • String ID:
                                                                                                              • API String ID: 4117002349-0
                                                                                                              • Opcode ID: 7dd70094157fa09c2d94938799b1c0bfbf31f63ff9fcaeb8745dc41f1fc4a2d6
                                                                                                              • Instruction ID: baccbaffd82af95f452967347e72004a70657db4bec61617fb81eee384de71b2
                                                                                                              • Opcode Fuzzy Hash: 7dd70094157fa09c2d94938799b1c0bfbf31f63ff9fcaeb8745dc41f1fc4a2d6
                                                                                                              • Instruction Fuzzy Hash: 9AF0E231600714BFD7403BA4AC1AFEA765EDF05704F044005FA0ACF392DAA0AA008795
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DC420 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 171COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,-00000002,006E7E04,00000001,00000000,HKCU\,E1E504E9,HKCU\,?,?,E1E504E9,00000000,?), ref: 006DC5EC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                              • String ID: HKCU\$HKLM\
                                                                                                              • API String ID: 3668304517-2581276437
                                                                                                              • Opcode ID: 06faf4fbc2a882ed04b5288cb238af8d310906c0235e8eddc3ce0238d7df057e
                                                                                                              • Instruction ID: 4bbc06eb7241959543518c2661edca3a16af1e8c7f0b2459c3f7cb80304a7ee8
                                                                                                              • Opcode Fuzzy Hash: 06faf4fbc2a882ed04b5288cb238af8d310906c0235e8eddc3ce0238d7df057e
                                                                                                              • Instruction Fuzzy Hash: 8E51D270D103498BDB08CF68D955BAEB7B2FF88314F14825EE415A7391EB70AA81CB90
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D2510 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,-00000004,?,?,00000029), ref: 006D26BF
                                                                                                              Strings
                                                                                                              • - https://aka.ms/dotnet-core-applaunch?, xrefs: 006D25C8
                                                                                                              • https://aka.ms/dotnet-core-applaunch?, xrefs: 006D2523
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                              • String ID: - https://aka.ms/dotnet-core-applaunch?$https://aka.ms/dotnet-core-applaunch?
                                                                                                              • API String ID: 3668304517-187807833
                                                                                                              • Opcode ID: 6faa6cfd376c52b3afa1c4a0843f477c6366e9b3856b79dc9cebd06fad03b656
                                                                                                              • Instruction ID: 92be38b903c01f0f0d028827887fbbf1c39b8c51c253d2044889d387b02bf9b7
                                                                                                              • Opcode Fuzzy Hash: 6faa6cfd376c52b3afa1c4a0843f477c6366e9b3856b79dc9cebd06fad03b656
                                                                                                              • Instruction Fuzzy Hash: F251A431D047998BDB10DF64ED91BEDB372FF69314F00939AE94966221EB306BC48B50
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006DE7F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,E1E504E9), ref: 006DE892
                                                                                                              Strings
                                                                                                              • 7.0.2, xrefs: 006DE846, 006DE84D
                                                                                                              • You must install or update .NET to run this application.App: %sArchitecture: %sApp host version: %s.NET location: %sLearn a, xrefs: 006DE859
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                              • String ID: 7.0.2$You must install or update .NET to run this application.App: %sArchitecture: %sApp host version: %s.NET location: %sLearn a
                                                                                                              • API String ID: 3668304517-2201498465
                                                                                                              • Opcode ID: d5cc6a57f9acff3631f62de73b4491ac881e423e2b724648299ccf7d063007ef
                                                                                                              • Instruction ID: f3f9fa50d31300d6b99d04c8a5496faf01e59412fafa94f75ac4257f1a431962
                                                                                                              • Opcode Fuzzy Hash: d5cc6a57f9acff3631f62de73b4491ac881e423e2b724648299ccf7d063007ef
                                                                                                              • Instruction Fuzzy Hash: E321D431D002449BCB28DF59DC89BAEBB77FB85710F44025EE4165B790DB706A40C7A4
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D1B00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 006D1B2B
                                                                                                                • Part of subcall function 006DF5F9: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,006D1B30,00000000,E1E504E9,?,?,?,006E333F,000000FF), ref: 006DF608
                                                                                                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 006D1B7A
                                                                                                                • Part of subcall function 006DFAD4: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000,00000000,?,006D1B7F,?,00000000,00000000,E1E504E9,?,?,?,006E333F,000000FF), ref: 006DFADB
                                                                                                                • Part of subcall function 006DFAD4: _Yarn.LIBCPMT ref: 006DFAF3
                                                                                                                • Part of subcall function 006DFAD4: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000,00000000,00000000,?,?,006D1B7F,?,00000000,00000000,E1E504E9,?,?,?,006E333F,000000FF), ref: 006DFB03
                                                                                                                • Part of subcall function 006DFAD4: _Yarn.LIBCPMT ref: 006DFB17
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Yarnsetlocalestd::_$Locinfo::_Locinfo_ctorLockitLockit::__lock_locales
                                                                                                              • String ID: bad locale name
                                                                                                              • API String ID: 2174947689-1405518554
                                                                                                              • Opcode ID: 45afabbc6ef6ca83b3c48d32f596855f449223f39bd37022d3d79e374b92de7c
                                                                                                              • Instruction ID: e9eb2fe9d4dfd29a692d33138dac61eb8d7753f7d7eb219079c211eb394a6e36
                                                                                                              • Opcode Fuzzy Hash: 45afabbc6ef6ca83b3c48d32f596855f449223f39bd37022d3d79e374b92de7c
                                                                                                              • Instruction Fuzzy Hash: 21119171904B849FD320CF69C805B47BBE4EF19714F004A5EE49AC7B40D775A604CB95
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 006D1140 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(?,hostfxr_set_error_writer), ref: 006D1148
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1695302153.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1695082184.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695332963.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695347990.00000000006ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000006EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_6d0000_BCb8yQ0fg8.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc
                                                                                                              • String ID: Probed for and did not resolve library symbol %S$hostfxr_set_error_writer
                                                                                                              • API String ID: 190572456-3442913825
                                                                                                              • Opcode ID: 9dd9a5cb4c662c802e2662387a3b8447a4a6120132a2a9edc514604c54cfffa2
                                                                                                              • Instruction ID: 23a3171552212a018283c8572cb48bdc6d2ac5afb388dfcfb6f8440f7ba903de
                                                                                                              • Opcode Fuzzy Hash: 9dd9a5cb4c662c802e2662387a3b8447a4a6120132a2a9edc514604c54cfffa2
                                                                                                              • Instruction Fuzzy Hash: FCC01271F86760678B611316BC0684939435B62BD93030051F90069352D5514C0442F1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%